)
Australian Clinical Labs (ASX: ACL) has agreed to pay a $5.8 million penalty over a cyberattack in 2021 that led to the theft of personal data of staff and patients at Medlab, a pathology business that the company had acquired in a deal worth $70 million.
The agreement put forward to the Federal Court will wrap up legal action brought against ACL by the Australian Information Commissioner in 2023.
While the agreement remains subject to Federal Court approval, the court today reserved its judgment.
ACL was made aware of the cyberattack in February 2022, or about two months after acquiring Medlab at the end of 2021. However, the company only announced the incident as “notifiable” in October that year after a forensic analysis of the affected information.
The company at the time said the cyberattack had affected the personal information of about 223,000 individuals with the compromised data including medical records, credit card details and Medicare numbers.
Medlab is a pathology business primarily located in Sydney and South-East Queensland with a laboratory in Sydney and Brisbane plus 288 collections centres in Queensland and NSW.
ACL had previously revealed to the market that its own data and IT systems were not impacted by the Medlab incident.
In its civil action against ACL, the Australian Information Commissioner alleged that the company had deficient cyber security arrangements in place for the protection of the personal information it held and that it did not carry out an adequate assessment of whether the Medlab incident represented an eligible data breach within 30 days.
ACL is also alleged to have failed to notify the Commissioner of an eligible data breach “as soon as practicable” as required under the Privacy Act.
In addition to the $5.8 million penalty, ACL has agreed to contribute $400,000 towards the Australian Information Commissioner’s legal costs.
ACL says it doesn’t expect a material impact on the ongoing operations or financial position of the company beyond the agreed settlement amount.
“Following ACL’s acquisition of the Medlab business, Medlab’s IT systems were integrated into ACL’s IT systems and are subject to ACL’s robust cybersecurity framework and protections,” says ACL in a statement to the ASX today.
“ACL would like to again apologise to the Medlab customers and employees that were impacted as a result of this cyberattack.
“While the Medlab cyberattack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance and continuously improving our cybersecurity systems and controls.
“This resolution allows ACL to move forward with certainty and focus on our strategic objectives and continued delivery of high-quality pathology service to our patients and value to shareholders.”
)
