What happened
In February 2022 a malicious actor accessed and exfiltrated the personal information of more than 223,000 people from Medlab Pathology, a business Australian Clinical Labs had acquired weeks earlier [oaic-penalty]. On 8 October 2025 the Federal Court ordered ACL to pay A$5.8 million — the first civil penalty ever imposed under Australia’s Privacy Act [federal-court-orders].
Data exposed
The headline figure of 223,000+ affected is confirmed in the OAIC record. Data-type sub-totals are as reported by media at the time and are not asserted by us.
Timeline
- 2022-02 — Cyberattack on Medlab’s systems; 223,000+ records exfiltrated [oaic-penalty].
- 2022-07 — ACL publicly disclosed and began notifying affected individuals.
- 2022-12 — OAIC commenced a Commissioner-initiated investigation [oaic-penalty].
- 2025-10-08 — Federal Court ordered A$5.8M in penalties [federal-court-orders].
Why it matters
The case set the precedent for financial penalties under Australian privacy law. The OAIC’s findings centred on ACL’s response — slow assessment and delayed notification — as much as the breach itself.