Insight,

Privacy,

Australian privacy regulator sues in data breach case

13 November 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

On 3 November 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (fine) in connection with the company’s response to a data breach that occurred in February 2022.  The case is significant because (1) it is only the second time that the Australian regulator has taken court proceedings of this kind despite having the power to do so since 2014, and (2) it signals the regulator’s priority in ensuring that cyber-security incidents are responded to swiftly.  The Australian parliament increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million.[1]  However, the maximum penalty available in this case will be in the order of A$2.2 million because the company’s conduct occurred prior to December 2022.

The publicly available facts

Australian Clinical Labs Limited is listed on the Australian Securities Exchange and operates one of the largest pathology businesses in Australia.  The information set out below is based on announcements by the company to the market and by the regulator.

The company acquired Medlab Pathology in December 2021.[2]

In February 2022 Medlab became aware of unauthorised third-party access to its IT system, and undertook a forensic investigation led by independent external cyber experts.  That investigation did not reveal any evidence that patient data had been exfiltrated.[3]

In March 2022, the Australian Cyber Security Centre (ACSC, an agency within the Australian federal government) contacted the company to advise that it had received intelligence that Medlab may have been the victim of a ransomware incident. The company responded to the ACSC and stated that to its knowledge the company did not believe that any data had been compromised.[4]

In June 2022, the ACSC contacted the company again to advise that it believed that Medlab patient data had been posted on the dark web.  The company took immediate steps to find and download the data set from the dark web and to analyse it.[5]

On 10 July 2022, the company notified the Office of the Australian Information Commissioner (OAIC) of the incident.[6]

On 27 October 2022, the company announced to the Australian Securities Exchange that it had suffered a cyber security incident affecting its Medlab Pathology business and that based on its forensic analysis had determined that approximately 223,000 individuals had been affected.  Within this figure approximately 17,500 had medical and health records associated with a pathology test, approximately 28,000 had credit card details compromised and approximately 128,000 Medicare numbers were compromised.[7]

On 5 December 2022, the OAIC announced that it had commenced an investigation into the personal information handling practices of Medlab Pathology in relation to its notifiable data breach.[8]

Approximately 11 months later, proceedings were filed in the Federal Court of Australia.[9]

The allegations in the case

The originating documents are not yet publicly available.  The OAIC’s announcement of the filing of the proceedings says that the allegations are that:

  • between May 2021 (which is before the company had acquired Medlab) and September 2022 the company failed to take reasonable steps to protect the personal information of its patients from unauthorised access or disclosure, which left the company vulnerable to cyberattack. If made out, this would be a breach of Australian Privacy Principle 11.1
  • the company breached s26WH of the Privacy Act, which required the company to carry out a reasonable and expeditious assessment of whether a notifiable data breach has occurred, and to take all reasonable steps to ensure that the assessment is completed within 30 days
  • the company breached s26WK of the Privacy Act, which required the company to notify the OAIC of a notifiable data breach as soon as practicable after it became aware that there are reasonable grounds to believe that a notifiable data breach has occurred.

The company has said that it will be defending the claim and that it asserts that its cyber security systems are robust.[10]

Initial observations on the allegations

Security measures. The question of the adequacy of the security measures implemented by the company will be a matter for expert evidence.[11]  The regulator has statutory powers to require the production of information and documents, and to interview witnesses on oath, when investigating.[12]  It is reasonable to assume that the regulator has utilised these powers to obtain evidence of the security measures in place during the relevant period and retained an expert to give an opinion on the adequacy of those measures.  If the company is to defend the claim successfully, it will need to retain its own expert witness and, if agreement cannot be reached between the experts, the court will need to decide which opinion it accepts.

Investigation of the incident and notification of the regulator. The regulator’s case must be that the obligation to conduct an investigation was triggered in February 2022 and that the company should not have concluded that there was no risk of serious harm to individuals simply because the forensic investigation did not reveal evidence of exfiltration.  This has been a theme that has emerged in periodic reports published by the OAIC in connection with data breaches that have been notified to the regulator.  For example, in a report published in September 2023, the OAIC stated:[13]

If an entity suspects a data breach has occurred but is unable to eliminate that suspicion quickly and confidently, the entity should consider proceeding on the presumption that there has been a data breach. Notification obligations are triggered once there are reasonable grounds to believe that an eligible data breach has occurred. Conclusive or positive evidence of unauthorised access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred.

Given the clear risks posed by exfiltration, the OAIC appreciates that initial priority may be given to assessing exfiltrated data and notifying individuals to whom it relates. However, an eligible data breach can occur based on unauthorised access alone and individuals’ data can be stolen by less traceable means, such as screenshots. Therefore, entities should not rely on data exfiltration as the determinative factor for deciding whether an eligible data breach has occurred. Entities need to consider all the information that was accessed by a threat actor, or the information that was accessible to them.

The company is likely to argue that it satisfied its obligation to investigate in February 2022 and in light of the findings of the forensic investigation formed the opinion that a reasonable person would conclude that the incident was not likely to result in serious harm to individuals, so it did not notify the OAIC at that time.  On this approach, the company is also likely to say that the obligation to investigate was re-enlivened in June 2022 when the ACSC told the company about the data that was available on the dark web, and that investigation was performed on a reasonable and expeditious basis and notified to the OAIC within the 30-day period.

Collateral issues.

Cyber risks in M&A. If the regulator wins its case that the security measures were inadequate from May 2021, the company may have a warranty claim against the sellers of the Medlab Pathology business (which was acquired in December 2021) depending on the warranties that were given and any agreed limitation periods for making warranty claims.  However, it appears from the company’s announcements in relation to the acquisition of Medlab Pathology that the transaction was by way of a purchase of business assets.[14]  If that was the case there are implications for the OAIC’s allegation that Australian Clinical Labs Limited was liable for breaches of APP 11 in the period prior to the completion of the purchase, because Australian Clinical Labs Limited would not have been the entity that ‘held’ records containing personal information generated in the course of the Medlab Pathology business so would not have been subject to the security obligations under APP 11 until completion occurred.  The case is a real example of the importance of risk allocation in an M&A transaction for liability arising from latent information security vulnerabilities existing prior to completion of the transaction.

Class actions. The company also faces a risk of class actions.[15]  As Australian readers will know, private health insurer Medibank Private Limited suffered a large-scale data breach in October 2022.  As a result Medibank is facing a consumer class action (on behalf of individuals who claim to have suffered harm as a result of the incident) and a securities class action (on behalf of investors).  Similarly, the Australian telecommunications company, Optus, suffered a large-scale data breach in September 2022 and is facing a consumer class action. There is no securities class action in Australia against Optus because the company is a subsidiary of Singapore Telecommunications Limited, which is listed in Singapore rather than Australia.  No class action has been announced against Australian Clinical Labs at the time of writing.  Potential funders are likely evaluating the economic viability of such a case, which would be much smaller in scale than in the actions against Medibank and Optus due to the smaller class size.

See https://www.kwm.com/au/en/insights/latest-thinking/privacy-act-enforcement-powers-to-be-boosted.html for a discussion of the increased penalty regime.

The transaction was announced to the market on 15 November 2021 and stated that it was subject to customary approvals.  The company announced on 20 December 2021 that the acquisition had been completed.

See the company’s announcement to the market of 27 October 2021.

See the company’s announcement to the market of 27 October 2021.

See the company’s announcement to the market of 27 October 2021.

See OAIC announcement of 3 November 2023 of the filing of proceedings: https://www.oaic.gov.au/newsroom/oaic-commences-federal-court-proceedings-against-australian-clinical-labs-limited

See the company’s announcement to the market of 27 October 2021.

https://www.oaic.gov.au/newsroom/oaic-opens-investigation-into-medlab-over-data-breach

https://www.oaic.gov.au/newsroom/oaic-commences-federal-court-proceedings-against-australian-clinical-labs-limited

See the company’s announcement to the market of 3 November 2023.

In ASIC v RI Advice Group Pty Ltd [2022] FCA 466 the court observed (at [46]) that ‘Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.’

See Privacy Act 1988 (Cth), ss44, 45 and 66.

See https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023#a-maturing-regulatory-approach

A search of the register of Australian trade marks reveals that Australian registered trade mark 1716941 for the words ‘MEDLAB PATHOLOGY’ was assigned by Medlab Pathology Pty Ltd as trustee for the Medlab Pathology Unit Trust to Clinical Laboratories Pty Ltd (a subsidiary of Australian Clinical Labs Limited) in December 2021 and a search of the ASIC register of companies reveals that Medlab Pathology Pty Ltd changed its name to MP Trusco Pty Ltd in December 2021.  These are consistent with the description of the transaction as an acquisition of a business, rather than a purchase of shares.

See KWM’s review of class actions in 2022/23 for discussion of the emergence of data breach class actions in Australia - https://www.kwm.com/au/en/insights/latest-thinking/publication/the-review-class-actions-in-australia-2022-2023.html at pages 30-31.

Reference

Data & Tech: Navigating a connected world

Guiding you through the complexities of the digital landscape.

Categories

KEY CONTACTS

SHOW MORESHOW LESS
LATEST THINKING
Insight
AI governance in government: Is your agency ready for the ANAO’s spotlight?
The Australian National Audit Office’s (ANAO) has recently emphasised the importance of agencies having effective and specific AI governance frameworks. This was the key message coming out of the ANAO’s performance audit report on the ATO’s Governance of Artificial intelligence.

14 March 2025

Insight
B Corps: To B or not to B
We explain what a B Corp is, how to become a B Corp and some of the benefits and challenges of obtaining this certification.

13 March 2025

Insight
The Cyber Security and Critical Infrastructure Rules have now been registered
Following a period of consultation on rules to support the Government’s Omnibus Cyber Security and Critical Infrastructure package discussed here, 4 of the 6 proposed rules have now been registered.

13 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
KWM KINETIC
OWL ADVISORY BY KWM
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies