Home Resources Latest News & Insights $6M Privacy Failure

$6M Privacy Failure

The first civil penalty for a data breach has been imposed – serving as a warning to businesses that lax privacy controls will not be tolerated. When it comes to data breaches, here is what businesses need to know.
Published: 12/12/2025
Cyber Insurance
Image representing a digital network of men and women connected via the cloud and technology. all the people are connected in Big data and communications.loading...

First civil penalty – a warning for business about privacy protection 

$5.8 million – the weighty first civil penalty imposed for a data breach under the Privacy Act 1988. 

On 25 February 2022, Medlab Pathology suffered a data breach that exposed the personal data of 223,000 Australians. Threat actors, the ‘Quantum Group’, launched a ransomware attack against the company’s IT systems. The attack included a ransom demand threatening to publish the stolen data within 48 hours. The attack saw the exfiltration (unauthorised transfer) of 86GB of data including personal and sensitive health information.  

Although the breach occurred in February, the incident was not properly reported to the Office of the Australian Information Commissioner (OAIC) until July 2022. In November 2023, the OAIC ruled that Australian Clinical Labs Limited (ACL), the company that had acquired Medlab Pathology in December 2021, would need to face court over claims that its data protection methods were insufficient. 

Law firm Colin Biggers & Paisley note that the OAIC commenced proceedings in the Federal Court, seeking orders that ACL had breached section 13G(a) of the Privacy Act by failing to: 

  • take reasonable steps to protect individuals’ personal information that it held over the period from 26 May 2021 to 29 September 2022 and 
  • conduct a reasonable assessment of whether the Medlab Cyberattack constituted an ‘eligible data breach’ and then failing to notify the Commissioner as soon as practicable. 

In October 2025, the Federal Court of Australia ordered the first civil penalty under the Privacy Act against ACL totalling $5.8 million, plus an order for ACL to pay $400,000 to the OAIC as a contribution to the Commissioner’s costs in the proceedings. 

In granting the penalty orders, Justice Halley found that: 

  • there had been an ‘eligible data breach’ of the Privacy Act, and as a result, ACL did not notify the impacted individuals within the required 30 days nor provide the required statement 
  • ACL did not take ‘such steps as are reasonable in the circumstances’ to protect the personal information held on the Medlab IT systems from ‘unauthorised access’ and ‘unauthorised disclosure’ 
  • there were approximately 223,000 contraventions of section 13G(a) arising from the breach by ACL, and 
  • “in aggregate, the agreed penalty of $5.8 million is appropriate in all the circumstances”. 

This was the first civil penalty proceeding brought by the Australian Information Commissioner in the history of the Privacy Act – serving as a warning that the authorities will not hesitate to litigate when companies fail to adequately respond and prevent data breaches. 

New penalties 

As the incident occurred prior to December 2024, when the civil penalties were substantially increased, the $5.8 million fine imposed on ACL is a fraction of what businesses now face if found to have breached privacy laws. 

The new maximum penalty under section 13G of the Privacy Act (a serious or repeated interference with privacy) is now $2.5 million for a non-body corporate and, for a body corporate, an amount not exceeding the greater of: 

  • $50 million, or 
  • if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit, or  
  • if a court cannot determine the value of that benefit, the penalty is 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention. 
Breach reporting requirements 

The Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018. The NDB requires organisations covered by the Privacy Act to notify affected individuals and the OAIC when a data breach is likely to result in serious harm. 

Which businesses must comply 

Entities that have existing obligations under the Privacy Act to secure personal information must comply with the NDB scheme. This includes Australian Government agencies, businesses and not-for profit organisations that have an annual turnover of more than $3 million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information, and tax file number (TFN) recipients. 

Definition of a data breach 

A data breach occurs when personal information is accessed or disclosed without authorisation, or is lost. Under the Privacy Act, a breach is considered ‘eligible’ if it is likely to result in serious harm to individuals whose information is involved.   

Definition of eligible breach 

The OAIC states an eligible data breach occurs when: 

  • there is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that an organisation or agency holds 
  • this is likely to result in serious harm to one or more individuals, and 
  • the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action. 

Definition of serious harm 

While ‘serious harm’ is not defined in the Act, the OAIC has released guidance on how serious harm may be interpreted and assessed: “Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.” The OAIC describes a ‘reasonable person’ as: “a person in the entity’s position (rather than the position of an individual whose personal information was part of the data breach or any other person), who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach”.  

Therefore, whether an individual is likely to suffer serious harm is an objective test from the perspective of a reasonable person, notes Dundas Lawyers. The assessment should consider the potential physical, psychological, emotional, financial or reputational harm the affected person could suffer as a result of the data breach. The OAIC guidelines for assessing serious harm include factors such as the type of personal information involved and the measures taken to prevent unauthorised access. 

When and how to report 

If an organisation suspects that an eligible data breach has occurred, it must assess the situation within 30 days. If it is determined that serious harm is likely, the organisation must notify the OAIC and affected individuals as soon as practicable. 

Notifications must include: 

  • the nature of the breach 
  • the information involved, and 
  • recommendations for individuals on how to protect themselves from potential harm.  
Beyond the OAIC 

It isn’t only the OAIC that is pursuing businesses that fail to protect data. Other authorities such as the Australian Communications and Media Authority have also launched actions against offending businesses. 

In addition, there is a mounting risk that businesses will be taken to court for repercussions associated with data breaches by those who have had their information exposed. Class actions are becoming more prevalent, for example actions have been launched against Optus (data breach affected up to 10 million current and former customers) and Medibank (breach resulted in the leak of personal customer data affecting 9.7 million customers, including sensitive information such as Medicare card numbers, passport numbers, and health claim data) for their data breaches in 2022, and Latitude Financial for its breach in 2023 (which compromised the personal information, including passports, driver’s licenses and Medicare numbers, of over six million customers). Read our article No More Unto the (Data) Breach for details.   

Lawyers have also lodged a representative complaint with the OAIC in relation to the Genea fertility clinic breach earlier this year, and another in respect to the Qantas data breach in July.  

Law firm Phi Finney McDonald said in a statement it had “lodged a representative complaint with the Office of the Australian Information Commissioner against Genea after being contacted by hundreds of impacted people who were distressed that their personal information had been accessed by unauthorised third parties.” The complaint alleges that Genea “failed to take reasonable steps to protect information from misuse, interference, loss, and unauthorised access, modification or disclosure” and that the company failed to “destroy or remove information when no longer required”. 

The Qantas breach saw the personal data of 5.7 million customers stolen on 30 June 2025 and subsequently published on the dark web on 11 October. Maurice Blackburn Lawyers made a representative complaint to the OAIC against Qantas for a breach of the Privacy Act, alleging that the airline breached privacy laws by failing to adequately protect the personal information of its customers. 

Mitigating data breach risks 

The old adage, ‘prevention is better than a cure’, holds very true when it comes to data breaches. Keeping personal data secure should be a priority for all businesses, regardless of whether they are subject to the NDB or not – the costs of suffering a data breach can go far beyond the financial impacts (which in themselves can be high – the average cost of a data breach is $4.26 million, according to IBM’s Cost of a Data Breach study). Reputational damage can also have a devastating impact on the business and even result in, or contribute to, its closure. 

Businesses should consider implementing risk mitigation strategies including: 

Governance and management 

  • Understand what personal information the business collects, how it collects it and for what purposes. 
  • Inventory all data sets and identify locations of sensitive information. 
  • Develop and implement organisation-wide privacy and security policies, procedures and protocols. 
  • Establish robust internal data handling procedures. 
  • Follow best practices for the storage and disposal/de-identification of personal data. 
  • Set strict privilege access controls. Work on a ‘zero trust’ basis. 
  • Implement strong password management protocols. 
  • Train staff to recognise cybersecurity issues and threats. 
  • Monitor for unusual account activity or suspicious log-ins. 
  • Conduct security audits. 
  • Undertake security assurance testing, particularly for sensitive or critical information. 
  • Secure hiring and termination procedures. 
  • Assess the data security practices of third-party vendors and partners. 
  • Establish incident response plans. 
  • If subject to the NDB, establish efficient OAIC reporting and notification procedures. 
  • Investigate insurance options.  

Software and hardware 

  • Secure networks, devices, and applications to prevent unauthorised access. 
  • Encrypt data at rest and in transit. 
  • Use segmentation (to limit lateral movement between systems). 
  • Implement endpoint security solutions. 
  • Deploy firewalls. 
  • Use intrusion detection systems. 
  • Keep all software and hardware up to date. 
  • Enable anti-virus protections. 
  • Keep operating systems, browsers and plugins up-to-date with patches and fixes. 
  • Use multi-factor authentication (MFA). 
  • Back up data regularly. 
  • Understand data wiping options for lost/stolen devices. 
  • Use data breach monitoring tools. 
Role of insurance 

Cyber insurance can help to protect a business from the costs associated with a data breach. Depending on the policy, there may be cover for investigation and recovery costs, ransom payments, statutory fines, and reputational management costs, among others. Your EBM Account Manager can discuss cover options and inclusions with you. 

Beyond the costs associated with the data breach itself, a business may need to explore other covers such as directors’ & officers’ (D&O), management liability, statutory liability, professional indemnity (PI), or legal expenses, to protect against ramifications such as legal proceedings (launched by shareholders, affected customers and so forth).      

Key takeaway 

The first civil penalty for breaching the Privacy Act has been ordered for a data breach that exposed personal and sensitive data. The proceedings send a warning to businesses that the authorities will litigate against those that fail to protect personal data including from exposure resulting from cyberattacks. 

While not all businesses are subject to the mandatory NDB scheme, all entities must keep the private data they hold secure and employ sound cybersecurity measures to protect personal information or risk the potentially devastating fallout from a data breach.  

Need expert guidance? 

In addition to consulting IT experts, talk to your EBM Account Manager about risk mitigation strategies to protect your business against data breaches. Your broker can help you assess the risks specific to your business and the private data it holds, and explore the insurance policy options that may be available to you in the event your business suffers a data breach. 

Further reading/resources 
Published: 12/12/2025
Cyber Insurance