‘Seriously interfered with privacy’: Information Commissioner sues ACL over pathology cyber attack
Pathology group ACL failed to take steps to protect the privacy of its customers, Australian Information Commissioner Angelene Falk says.
ASX-listed pathology group ACL “seriously interfered with the privacy of millions of Australians” – an action that led to hackers stealing scores of sensitive health records, the Australian Information Commissioner alleges.
Cyber criminals infiltrated the customer database of ACL’s Medlab pathology business in February last year. But the data breach wasn’t disclosed to Australian Information Commissioner Angelene Falk for another six months, while the broader public and market were not informed until last October.
Ms Falk is now suing ACL – which is attempting to mount a takeover of bigger rival Healius – in the Federal Court, with the company facing a fine of up to $50m. Ms Falk alleges that from May 2021 to September 2022, ACL “seriously interfered with the privacy of millions of Australians by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure in breach of the Privacy Act”.
She said the delay in disclosure led to customers being exposed to a greater risk of identity theft, extortion and financial crime.
“We consider that ACL failed to take reasonable steps to protect personal information it held for an organisation of its size with its resources, and considering the nature and volume of the sensitive personal information it handled,” Ms Falk said.
“When a data breach occurs, organisations are responsible for notifying the Office of the Australian Information Commissioner and affected individuals as a way of minimising the risks and potential for harm associated with a data breach.
“Contrary to this principle, ACL delayed notifying my office that personal and sensitive information had been published on the dark web. As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”
Ms Falk said ACL’s business centrally involves collecting and holding millions of individual patients’ health information. ACL collects other personal information from patients in order to provide test results and issue invoices, such as personal identifying and contact information, and copies of Medicare cards and numbers.
ACL acknowledged the legal action in a statement to the ASX.
“ACL confirms that the claims relate to its systems and process during the relevant period only and the AIC is not alleging that any ACL data has been compromised other than the data involved in the Medlab incident notified to the market on October 27, 2022,” the company said.
“The AIC claim does not specify the level of any penalty it intends to seek in the event that the claim is established. ACL cannot rule out the possibility that any penalty payable in the event that the claim is established will be material.”
Woolies, Coles ‘fake’ discounts spread across the entire supermarket
Woolworths and Coles fooled customers into buying everyday groceries by using fake discounts spanning almost every aisle of the supermarket, new court documents reveal.
Virgin pushes for quick decision on extra Qatar flights
Virgin Australia has asked the competition watchdog to fast-track its decision on a deeper relationship with Qatar Airways, so more flights to Doha can get underway from June.