The nation’s privacy watchdog has launched civil proceedings against Australian Clinical Labs (ASX: ACL) over a Medlab hack that saw more than 223,000 patients and staff have their health records and credit card numbers stolen late last year.
The Australian Information Commissioner (AIC) has filed the suit in the Federal Court of Australia, alleging that ACL had deficient cyber security arrangements in place for the protection of the personal information it held between 26 May 2021 to 29 September 2022.
Announced by ACL over a year ago, the breach included 17,539 medical and health records associated with a pathology test, 28,286 credit card numbers and names (of which 15,724 were expired), and 128,608 Medicare numbers.
One week after the hack was made public, the Office of the Australian Information Commissioner (OAIC) expressed its intention to investigate the data breach. The majority of the customers impacted were from NSW and Queensland.
“Organisations are responsible for protecting the information they hold, including effectively managing cyber security risk,” Australian Information Commissioner Angelene Falk says in a statement released today.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach. Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web."
In an announcement to the ASX, ACL says it will be defending the AIC claim and asserts that its cyber security systems are robust.
“ACL confirms that the claims relate to its systems and process during the relevant period only and the AIC is not alleging that any ACL data has been compromised other than the data involved in the Medlab incident notified to the market on 27 October 2022," the company says.
The AIC also alleges that ACL did not carry out an adequate assessment of whether the Medlab incident represented an eligible data breach within 30 days and did not notify the AIC of an eligible data breach ‘as soon as practicable’ as required by the Privacy Act.
According to AIC, an eligible data breach occurs when there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds.
The news of the legal proceedings against ACL comes one day after the Australian Cyber Security Centre found multiple vulnerabilities in Atlassian’s Confluence Data Centre and Server product.
Described as an improper authorisation vulnerability affecting the server software, the bug is tracked as CVE-2023-22518 and puts publicly accessible instances at critical risk.
"As part of our continuous security assessment processes, we have discovered that Confluence Data Center and Server customers are vulnerable to significant data loss if exploited by an unauthenticated attacker," says Atlassian chief information security officer Bala Sathiamurthy.
"There are no reports of active exploitation at this time; however, customers must take immediate action to protect their instances."
Get our daily business news
Sign up to our free email news updates.