The pathology group on Thursday said the incident at its Medlab subsidiary affected some 223,000 customers, with the breaches of most concern including the exposure of 17,539 individual medical records and 28,286 credit card details along with names.

The disclosure of the breach comes after similar incidents at Medibank, Optus and at Woolworths’ MyDeal business.

ACL shares fell 5.5 per cent, or 18.9c, to close at $3.35, having traded up to 11 per cent lower in the day after the announcement.

Melinda McGrath, ACL’s chief executive, said she apologised “and deeply regret that this incident occurred”. “We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected,” she added.

“We are in the process of providing tailored notifications to the individuals involved. We want to assure all individuals involved that ACL is committed to providing every reasonable support to them. We will continue to work with the relevant authorities.”

ACL, which bought Medlab in December, said the “notifiable cyber incident”was detected in February but a thorough forensic investigation was only launched in June following repeated warnings by the Australian Cyber Security Centre, including of customer data being available on the dark web.

“ACL immediately co-ordinated a forensic investigation led by independent external cyber experts into the Medlab incident,” the company said of the original breach. “At the time, the external forensic specialists did not find any evidence that information had been compromised.

The Office of the Australian Information Commissioner has been notified, and both the OAIC and the ACSC are monitoring the situation, the company said.

To date, there is no evidence of misuse of any of the information or any demand made of Medlab or ACL, it added. The compromised Medlab server is no longer in use and the company’s broader systems and databases have not been affected by the incident.

“Following advice from privacy and legal specialists in cyber matters, ACL implemented a program to determine the nature of the information involved and any individuals that could be at risk of serious harm as a result of the incident,” the company said in a statement on Thursday.

“Given the highly complex and unstructured nature of the dataset being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved.

“ACL’s view is that, given the nature of its relationship with the affected individuals, the most effective way to minimise the potential harm to those individuals and the wider body of Medlab’s patients, is to directly contact the individuals at risk by way of individually tailored notifications as soon as practicable.”

The company will offer affected customers free credit monitoring and document replacement to those at risk of identity fraud.

Originally published as Pathology giant Australian Clinical Labs, which owns Medlab, hit by cyber hack