Landmark civil penalty of AU58 million issued under Australiaâs privacy act
p
Panoramic Automotive and Mobility 2025
pp
ppOn 9 October 2025 the Federal Court of
Australia the Court imposed an AU58 million civil penalty on Australian
Clinical Labs Limited one of Australias largest private hospital pathology
service providers the Company for systemic failures that led to the
unauthorised access to and exfiltration of the sensitive personal information
of more than 223000 individuals The decision
marks the first civil penalty ordered under the Privacy Act 1988 Cth
Privacy Act and signals heightened regulatory scrutiny in Australia
regarding data breachesppAustralias Privacy Commissioner Carly Kind
described the outcome as an important turning point in Australian privacy
enforcement saying it serves as a vivid reminder to entities particularly
healthcare providers that there will be consequences for serious failures to
protect health informationppThe Privacy Act requires entities to take reasonable steps to safeguard personal information from misuse interference loss and unauthorised access or disclosure What constitutes reasonable depends on factors such as the entitys nature data sensitivity foreseeable risks practicability of controls and industry standardsppOpining on APP 11 the Court found that the Company had significant control gaps including untested or missing incident response playbooks lack of data loss prevention limited behavioural detection inadequate application controls insufficient log retention no mandatory multifactor authentication for remote access and weak recovery and communication plans The Court determined that these deficiencies represented a substantial departure from reasonable standards expected of a healthcare data custodian and therefore constituted a breach of APP 111bppSection 26WH of the Privacy Act requires entities to promptly and reasonably assess suspected data breaches within 30 days To fulfil this obligation the Company relied on a thirdparty report that examined only 3 of at least 127 compromised computers and failed to investigate the ransomware group or data exfiltration risks The Court found this reliance on an outsourced thirdparty unreasonable noting the Company was aware of the reports limited scope and failed to conduct its own assessment therefore breaching s 26WH2ppUnder the Privacy Act failure to comply with s 26WH2 constitutes an interference with individual privacy and if serious may attract civil penalties under s 13GappSection 13Ga of the Privacy Act allows for civil penalties where an entitys conduct amounts to a serious interference with privacy This case marked the first time such a penalty was imposed The Court considered the breach serious due to the highly sensitive nature and volume of personal information involved elevated cybersecurity risks and the delayed notification to the Commissioner which therefore hindered timely notification to affected individualsppThe Court ordered the Company to enhance its security controls incident response capabilities and governance and imposed an AU58 million penalty for breaches of APP 111b and s 26WH2 s 26WK2 and s 13G of the Privacy ActppThis decision reinforces that organisations handling healthcare personal data must implement tailored and strong technical and governance safeguards necessary to protect the sensitivity of the information It also highlights the need for buyers of healthcare IT systems to conduct rigorous preacquisition cyber due diligence have a plan for integration of acquisitions to address material gaps in cybersecurity and ensure personnel of the acquired business are aware of the companys incident response procedures and clearly allocate contractual responsibility for potential legacy vulnerabilitiesppBeyond Australia the decision signals a broader trend regulatory and judicial responses to major health data breaches are increasingly scrutinising cyber and governance failures and the adequacy of postincident response and assessmentsppThe Australian Federal Courts decision confirms that Australian courts are willing to impose substantial penalties for systemic failures to protect sensitive personal information and for delays in breach assessment and notification In this case penalties were issued under the previous regime which capped fines at AU222 million per contravention and the total possible fine was reduced due to the companys ultimate cooperation and efforts to enhance security controls However the current framework which commenced on 13 December 2022 allows for significantly higher penalties of up to AU50 million three times the benefit obtained from the conduct or 30 percent of annual turnover per contraventionppOrganisations subject to the Privacy Act should carefully consider the implications of this ruling It highlights the importance of thorough cyber due diligence in IT acquisitions timely remediation of inherited vulnerabilities and strong internal capabilities for breach detection response and assessment More broadly the decision cautions that across jurisdictions reliance on narrowly scoped thirdparty reports may cause organisations to fall short of fulfilling breach assessment obligationsppFor any assistance on understanding the impact of this decision feel free to reach out to the authors or your usual Hogan Lovells contactpp pp ppAuthored by Charmian Aw Melissa B Levine and Ciara OLearyppReferencespp pp
Charmian Aw
pp
Singapore
pp
Email me
pp
Melissa B Levine
pp
Washington DC
pp
Email me
pp
Ciara OLeary
pp
Singapore
pp
Email me
ppView morepp02 July 2025pp17 January 2025pp20 December 2023pp13 December 2023pp08 December 2021pp27 October 2021pp08 September 2021pp22 July 2021pp14 June 2021ppRegister now to receive personalized content and morepp pp 2025 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
Panoramic Automotive and Mobility 2025
pp
ppOn 9 October 2025 the Federal Court of
Australia the Court imposed an AU58 million civil penalty on Australian
Clinical Labs Limited one of Australias largest private hospital pathology
service providers the Company for systemic failures that led to the
unauthorised access to and exfiltration of the sensitive personal information
of more than 223000 individuals The decision
marks the first civil penalty ordered under the Privacy Act 1988 Cth
Privacy Act and signals heightened regulatory scrutiny in Australia
regarding data breachesppAustralias Privacy Commissioner Carly Kind
described the outcome as an important turning point in Australian privacy
enforcement saying it serves as a vivid reminder to entities particularly
healthcare providers that there will be consequences for serious failures to
protect health informationppThe Privacy Act requires entities to take reasonable steps to safeguard personal information from misuse interference loss and unauthorised access or disclosure What constitutes reasonable depends on factors such as the entitys nature data sensitivity foreseeable risks practicability of controls and industry standardsppOpining on APP 11 the Court found that the Company had significant control gaps including untested or missing incident response playbooks lack of data loss prevention limited behavioural detection inadequate application controls insufficient log retention no mandatory multifactor authentication for remote access and weak recovery and communication plans The Court determined that these deficiencies represented a substantial departure from reasonable standards expected of a healthcare data custodian and therefore constituted a breach of APP 111bppSection 26WH of the Privacy Act requires entities to promptly and reasonably assess suspected data breaches within 30 days To fulfil this obligation the Company relied on a thirdparty report that examined only 3 of at least 127 compromised computers and failed to investigate the ransomware group or data exfiltration risks The Court found this reliance on an outsourced thirdparty unreasonable noting the Company was aware of the reports limited scope and failed to conduct its own assessment therefore breaching s 26WH2ppUnder the Privacy Act failure to comply with s 26WH2 constitutes an interference with individual privacy and if serious may attract civil penalties under s 13GappSection 13Ga of the Privacy Act allows for civil penalties where an entitys conduct amounts to a serious interference with privacy This case marked the first time such a penalty was imposed The Court considered the breach serious due to the highly sensitive nature and volume of personal information involved elevated cybersecurity risks and the delayed notification to the Commissioner which therefore hindered timely notification to affected individualsppThe Court ordered the Company to enhance its security controls incident response capabilities and governance and imposed an AU58 million penalty for breaches of APP 111b and s 26WH2 s 26WK2 and s 13G of the Privacy ActppThis decision reinforces that organisations handling healthcare personal data must implement tailored and strong technical and governance safeguards necessary to protect the sensitivity of the information It also highlights the need for buyers of healthcare IT systems to conduct rigorous preacquisition cyber due diligence have a plan for integration of acquisitions to address material gaps in cybersecurity and ensure personnel of the acquired business are aware of the companys incident response procedures and clearly allocate contractual responsibility for potential legacy vulnerabilitiesppBeyond Australia the decision signals a broader trend regulatory and judicial responses to major health data breaches are increasingly scrutinising cyber and governance failures and the adequacy of postincident response and assessmentsppThe Australian Federal Courts decision confirms that Australian courts are willing to impose substantial penalties for systemic failures to protect sensitive personal information and for delays in breach assessment and notification In this case penalties were issued under the previous regime which capped fines at AU222 million per contravention and the total possible fine was reduced due to the companys ultimate cooperation and efforts to enhance security controls However the current framework which commenced on 13 December 2022 allows for significantly higher penalties of up to AU50 million three times the benefit obtained from the conduct or 30 percent of annual turnover per contraventionppOrganisations subject to the Privacy Act should carefully consider the implications of this ruling It highlights the importance of thorough cyber due diligence in IT acquisitions timely remediation of inherited vulnerabilities and strong internal capabilities for breach detection response and assessment More broadly the decision cautions that across jurisdictions reliance on narrowly scoped thirdparty reports may cause organisations to fall short of fulfilling breach assessment obligationsppFor any assistance on understanding the impact of this decision feel free to reach out to the authors or your usual Hogan Lovells contactpp pp ppAuthored by Charmian Aw Melissa B Levine and Ciara OLearyppReferencespp pp
Charmian Aw
pp
Singapore
pp
Email me
pp
Melissa B Levine
pp
Washington DC
pp
Email me
pp
Ciara OLeary
pp
Singapore
pp
Email me
ppView morepp02 July 2025pp17 January 2025pp20 December 2023pp13 December 2023pp08 December 2021pp27 October 2021pp08 September 2021pp22 July 2021pp14 June 2021ppRegister now to receive personalized content and morepp pp 2025 Hogan Lovells All rights reserved Hogan Lovells or the firm refers to the international legal practice that comprises Hogan Lovells International LLP Hogan Lovells US LLP and their affiliated businesses each of which is a separate legal entity Attorney advertising Prior results do not guarantee a similar outcomep
