Landmark $5.8m penalty over health data cyber attack
A significant fine imposed following the leak of hundreds of thousands of pathology patients’ information has been seen as a “vivid reminder” to companies about protecting private data.
Medlab Pathology was hit with a cyberattack and ransomware demand in February 2022 by a malicious actor known as Quantum Group.
Four months later, approximately 86 gigabytes of data, including the personal and health information of more than 223,000 people, were retrieved and published on the dark web.
Medlab’s parent company, Australian Clinical Labs, was sanctioned by the Federal Court on Wednesday and fined $5.8 million in a landmark decision that is the first of its kind.
Judge John Halley found the company failed to protect patients’ personal data and failed to properly assess whether a data breach had occurred following the attack.
Clinical Laboratories Australia, one of the country’s largest private pathology providers, also failed to promptly notify the Australian Information Commissioner’s Office.
The Commissioner was notified in July 2022, the public was notified in October 2022.
The judge said Medlab did not take steps to identify vulnerabilities and deficiencies in its IT systems when it acquired the company in December 2021, despite the company operating in a “high cyber threat environment”.
Judge Halley said the privacy law breaches were “extensive and significant”.
“Given the nature of the information published on the dark web, I am satisfied that the breaches had at least the potential to cause serious harm to those whose information was leaked,” he wrote.
He said the company admitted wrongdoing, cooperated with the commissioner, did not knowingly violate the law and did not gain financially from the violations.
Privacy Commissioner Carly Kind described the decision as a “landmark” for the enforcement of privacy law in Australia.
“This should serve as a vivid reminder to organisations, particularly providers operating within Australia’s healthcare system, that there will be consequences for serious failures to protect the privacy of individuals whose healthcare and information they provide,” he said.
Cybersecurity academic Matthew Warren told AAP Thursday’s fine was a wake-up call for businesses to meet their duty of care to protect customer data.
Professor Warren said organizations need to view cybercrime as a business risk, not just a technological risk, and invest in infrastructure to protect against such attacks.
“The government will begin to hold companies to account when they fail to meet this duty of care,” the director of RMIT’s Cybersecurity Research and Innovation Center said on Thursday.
In an ASX announcement in September, the firm again apologized to affected customers and employees.
“Although the Medlab Cyber Attack was isolated to the newly acquired Medlab business, we remain committed to continuously improving our patient data protection, data management, and cybersecurity systems and controls,” the company wrote.
The acquisition in 2021 cost Australian Clinical Laboratories $70 million.
Australia’s Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national news channel and has been providing accurate, reliable and fast-paced news content to the media industry, government and corporate sector for 85 years. We inform Australia.
