Charmian Aw, Melissa B. Levine, and Ciara O’Leary of Hogan Lovells write:
On 9 October 2025 the Federal Court of Australia (the Court) imposed an AU$5.8 million civil penalty on Australian Clinical Labs Limited, one of Australia’s largest private hospital pathology service providers (the Company), for systemic failures that led to the unauthorised access to and exfiltration of the sensitive personal information of more than 223,000 individuals. The decision marks the first civil penalty ordered under the Privacy Act 1988 (Cth) (Privacy Act), and signals heightened regulatory scrutiny in Australia regarding data breaches.
Australia’s Privacy Commissioner Carly Kind described the outcome as an “important turning point in Australian privacy enforcement”, saying it “serves as a vivid reminder to entities, particularly healthcare providers, that there will be consequences for serious failures to protect health information.”
Read more about the incident and findings at Hogan Lovells.