Australian Clinical Labs faces class action lawsuit over 2022 data breach incident

Australian Clinical Labs said it is facing class action proceedings in the Supreme Court of Victoria over a 2022 data breach incident that compromised the data of over 223,000 individuals.

 

The pathology services provider said in a regulatory filing with the Australian Stock Exchange on April 21 that it has been served with class action proceedings over a significant data breach incident in February 2022 that affected its Medlab Pathology business.

 

The class action lawsuit, filed in the Supreme Court of Victoria on behalf of hundreds of thousands of individuals whose data was compromised during the data breach incident, has sought damages from Australian Clinical Labs for failing to protect its customers’ personal information and for breaching Australian consumer law.

 

The pathology services company, which operates 50 NATA-accredited laboratories and 1,288 Approved Collection Centres across Australia and employs more than 4,700 pathologists, scientists, collectors and support staff, said it denied the allegations made in the class action lawsuit and intended to vigorously defend it.

In October 2025, the Australian Federal Court ordered Australian Clinical Labs to pay $5.8 million in civil penalties in what was the first civil penalty issued under the Privacy Act. The court found “extensive and significant” contraventions committed by the company when dealing with the cyber security incident and its aftermath.

 

The civil penalty included a $4.2 million penalty on ACL for failing to take reasonable steps to protect the personal information of its customers, an $800,000 penalty for failing to carry out an assessment of whether a data breach had occurred due to the cyber attack, and another $800,000 fine for failing to appropriately notify the Australian Information Commissioner about the data breach.

 

“This outcome represents an important turning point in the enforcement of privacy law in Australia,” said Privacy Commissioner Carly Kind. “For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament.

 

“This should serve as a vivid reminder to entities, particularly providers operating within Australia’s healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold,” she added.