Data Breach Banner

$5.8 million Privacy Penalty Highlights Gaps in M&A IT Checks

Share
28 Oct 2025
Gina Tresidder, Michael Cassidy, Riley Tilbrook

Key takeaways:

  • The Federal Court has imposed the first ever civil penalty under the Privacy Act 1988 (Cth) (Privacy Act). Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million, plus $400,000 in costs, following a 2022 data breach in systems it had recently acquired from Medlab Pathology Pty Limited (Medlab).
  • ACL’s liability arose from a failure to rectify serious security deficiencies in the IT systems it acquired from Medlab, and when those systems were targeted by a cyberattack, the failure of the company to assess whether this constituted an eligible data breach and promptly notify the Australian Information Commissioner.
  • Although the post-December 2024 penalty increases did not apply, the decision signals a new enforcement era for organisations handling sensitive personal information.

Background

In the first civil penalty proceeding under the Privacy Act, the Federal Court ordered Australian Clinical Labs Limited (ACL) to pay $5.8 million in connection with a ransomware attack on IT systems it had acquired from Medlab Pathology Pty Ltd (Medlab) just two months earlier.

At the time, ACL was one of the largest private hospital pathology businesses in Australia. On 19 December 2021, ACL acquired the assets of Medlab, which included Medlab’s computer and information technology systems. Then in February 2022, the “Quantum Group” cyberattack exfiltrated 86 GB of data from Medlab’s IT systems, including sensitive health and financial information of more than 223,000 individuals, which was later published on the dark web.

As the first civil penalty proceeding brought by the Commissioner in the history of the Privacy Act, the judgment marks a turning point in Australian privacy enforcement, confirming that privacy compliance failures can now attract significant financial consequences.

The decision

The Court found that:

  • ACL breached Australian Privacy Principle (APP) 11.1(b) by failing to take reasonable steps to protect personal information held on Medlab’s IT systems from the date those assets were acquired. Importantly, the Court determined that each affected individual constituted a separate contravention.
  • In connection with the cyberattack, ACL contravened section 26WH(2) of the Privacy Act by failing to carry out a reasonable and expeditious assessment as to whether there were reasonable grounds to believe an eligible data breach had occurred; and
  • Once there were reasonable grounds to believe that an eligible data breach had occurred, ACL contravened section 26WK(2) of the Privacy Act by failing to notify the Australian Information Commissioner as soon as practicable.

Penalty orders (aggregate $5.8 million):

  • $4.2 million – breach of APP 11.1(b) (failure to protect data)
  • $800,000 – breach of section 26WH(2) (failure to assess)
  • $800,000 – breach of section 26WK(2) (failure to notify)

Plus, an additional $400,000 in legal costs to the Commissioner.

Why this matters for M&A

The contraventions were directly attributable to deficiencies in the IT systems inherited through ACL’s acquisition of Medlab’s assets, compounded by gaps in post-completion integration. Prior to purchase, Medlab’s IT environment suffered from critical vulnerabilities including outdated servers, weak authentication, limited logging, lack of encryption, and inadequate antivirus capability. ACL failed to detect these deficiencies during due diligence.

ACL planned to integrate the Medlab IT systems into ACL’s core IT environment within 6 months, but the cyberattack occurred just two months after the assets were acquired.

The Court also found that when the cyberattack occurred, ACL relied heavily on a third-party cybersecurity provider without sufficient internal capability or incident response training.

The case demonstrates that from the moment a deal closes, the acquiring company assumes responsibility for privacy compliance. Once ownership transfers, so too does responsibility for protecting personal information and ensuring the target’s systems meet the standards required by the Privacy Act.

Practical lessons for acquirers

  • Integrate cyber security and privacy into due diligence: Evaluate IT architecture, review historical data incidents, and test existing security controls and monitoring tools.
  • Conduct a Privacy Impact Assessment (PIA): Before and after acquiring a business, assess how personal information will be handled. A PIA helps identify risks and ensures compliance with the APPs.
  • Include transaction protections: Seek warranties, indemnities, and pre-completion disclosure of known or suspected breaches.
  • Audit and Secure Inherited IT Systems: Immediately assess the security posture of any acquired systems. Identify vulnerabilities, update outdated software, and ensure systems meet current cybersecurity standards.
  • Strengthen notification readiness: Ensure internal teams can conduct a Privacy Act compliant assessment within 30 days and make prompt notifications where required.
  • Reduce third-party dependence: Maintain internal oversight and governance rather than relying solely on vendors for detection and response.

Context on penalties

Although the increased penalties introduced in December 2024 were not applicable, the Court made clear that the outcome would have been significantly higher under the current regime. For corporations, maximum penalties are now the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover for the relevant period.

How we can help

Russell Kennedy is able to assist clients across the transaction lifecycle to manage data and privacy risks, including conducting privacy due diligence in M&A transactions, developing breach assessment and response frameworks under the Privacy Act, and drafting internal procedures and governance guidelines.

Please contact Russell Kennedy’s expert Privacy team members Gina Tresidder or Michael Cassidy for advice on all aspects of privacy, cybersecurity and data protection in Australia.

If you’d like to stay up to date with Russell Kennedy Alerts and Events, you can subscribe to our mailing list here.

The information contained in this Insight is intended as general commentary and should not be regarded as legal advice. Should you require specific advice on the topics or areas discussed please contact the Russell Kennedy lawyers listed above.

View related insights

EZO 360 x 240

From Prep to Payday: Getting Ready to Sell Your Business

11 Nov 2025

Selling your business can be a daunting task, whether you're looking to retire, pursue new ventures, or simply cash out. It's crucial to be prepared and approach the sale process strategically.

View
Rohan DSA 360 x 240

Protecting Value in Your Direct Selling Business

22 Oct 2025

In this video alert, we’ll dive into the must-know strategies to protect your business as it scales. We’ll focus on what are typically any business’ most important assets. Your peopl ...

View
Drag and Tag Mergers Alert 360 x 240

Smooth operators: Drag along and tag along in M&A

2 Sep 2025

In considering a share sale transaction, a potential seller needs to think about the deal appetite of their fellow shareholders. If you hold the majority of the issued shares, how do you ensure the m ...

View