A landmark fine imposed after hundreds of thousands of pathology patients had their details leaked has been seen as a “vivid reminder” to corporations about protecting private data.
Medlab Pathology was hit with a cyber attack and ransomware demand by a malicious actor known as the Quantum Group in February 2022.
About 86 gigabytes of data was taken and published on the dark web four months later, including the personal and health details of more than 223,000 individuals.
Medlab’s parent firm Australian Clinical Labs was sanctioned by the Federal Court on Wednesday, receiving a $5.8 million fine in a landmark decision that is the first of its kind.
Justice John Halley found the company failed to protect the personal data of patients and did not conduct a proper assessment of whether there had been a data breach after the attack
Australian Clinical Labs, one of nation’s largest private pathology providers, also failed to swiftly notify the Office of the Australian Information Commissioner.
The commissioner was notified in July 2022, while the public were told in October 2022.
Despite operating in “a high cyber threat landscape”, the company did not take steps to identify vulnerabilities and deficiencies in Medlab’s IT systems when it acquired the company in December 2021, the judge said.
Justice Halley said the privacy law breaches were “extensive and significant”.
“I am satisfied that the contraventions, given the nature of the information posted on the dark web, had at least the potential to cause significant harm to individuals whose information had been exfiltrated,” he wrote.
The company had admitted its misconduct, co-operated with the commissioner, had not deliberately flouted the law and did not gain financially from the breaches, he said.
Privacy Commissioner Carly Kind called the judgment a “turning point” for the enforcement of privacy law in Australia.
“This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold,” she said.
Thursday’s penalty was a wake-up call for businesses to meet their duty of care to protect customer data, cyber security academic Matthew Warren told AAP.
Organisations had to see cybercrime as a business risk, rather than just a technological one, and invest in the infrastructure to protect against these kids of attacks, Professor Warren said.
“The government’s going to start holding companies to account when they fail in this duty of care,” the director of the RMIT Centre for Cyber Security Research and Innovation said on Thursday.
In an ASX announcement in September, the firm again apologised to customers and employees who were impacted.
“While the Medlab Cyberattack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance and continuously improving our cybersecurity systems and controls,” the company wrote.
The 2021 acquisition cost Australian Clinical Labs $70 million.
Australian Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national newswire and has been delivering accurate, reliable and fast news content to the media industry, government and corporate sector for 85 years. We keep Australia informed.
