Share this article on:
The Office of the Australian Information Commissioner believes Australian Clinical Labs did not adequately protect personal data, leading to an increased risk of “identity theft, extortion and financial crime”.
When Medlab Pathology was hacked in February 2022, a total of 223,000 Australians had their personal information exposed on the darknet, including credit card details and passport information.
However, that breach was not fully reported to the Office of the Australian Information Commissioner (OAIC) until July 2022. Now, the OIAC is taking Medlab’s owner, Australian Clinical Labs (ACL), to court over claims that the company did not do enough to protect the information in its care.
“ACL delayed notifying my office that personal and sensitive information had been published on the dark web,” OAIC commissioner Angelene Falk said in a statement reported by The Guardian.
“As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion and financial crime.”
ACL did not make a public declaration regarding the hack until October 2022.
ACL stated last year that the delay was caused by the initial investigation, stating it had “taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved”.
While the OAIC clearly believes that ACL is at fault, the company itself has said it will defend itself and its cyber security methods.
“ACL will be defending the OAIC claim and asserts that its cyber security systems are robust,” the company said in a statement to the Australian Stock Exchange.
If found guilty of negligence, ACL could face a fine of $2.2 million.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.