Pioneering legal action to set precedent for stringent cybersecurity standards in healthcare

MedTech & Diagnostics News: The Australian Information Commissioner (AIC) has launched civil proceedings against the pathology services provider, Australian Clinical Labs, following a major data breach of its subsidiary, Medlab Pathology, that compromised the sensitive personal information of over 223,000 patients and staff members. The breach, which occurred between May 26, 2021, and September 29, 2022, resulted in the theft of health records and credit card data, casting a shadow of concern over the organisation’s cybersecurity practices.

The AIC filed the lawsuit in the Federal Court of Australia, alleging that pathology provider Australian Clinical Labs had inadequate cybersecurity measures in place to protect the personal information it held. The breach exposed 17,539 medical and health records, 28,286 credit card numbers, and a staggering 128,608 Medicare numbers.

AIC Commissioner Angelene Falk emphasised the importance of organisations safeguarding the information they possess, stating “Organisations are responsible for protecting the information they hold, including effectively managing cybersecurity risk. We consider that ACL failed to take reasonable steps to protect personal information it held for an organization of its size with its resources, and considering the nature and volume of the sensitive personal information it handled.”

Commissioner Falk further criticised Australian Clinical Labs for its delayed notification of the data breach. She added “As a result of their information being on the dark web, individuals were exposed to potential emotional distress and the material risk of identity theft, extortion, and financial crime.”

Australian Clinical Labs generated a substantial revenue of $995.6 million in the financial year ending June 2022. Despite the legal action, the company has voiced its commitment to defending against the AIC’s claims and stands firm on the robustness of its cybersecurity systems.

The AIC’s legal action also alleges that Australian Clinical Labs failed to carry out an adequate assessment of whether the Medlab incident represented an eligible data breach within 30 days, as required by the Privacy Act. According to the Privacy Act, an eligible data breach occurs when there is unauthorised access, disclosure, or loss of personal information held by an organization or agency.

The news of these legal proceedings against Australian Clinical Labs comes in the wake of the Australian Cyber Security Centre’s discovery of multiple vulnerabilities in Atlassian’s Confluence Data Centre and Server product. Described as an improper authorisation vulnerability affecting the server software, this discovery raises concerns regarding data security in the broader digital landscape.

The Privacy Act includes 13 legally binding Australian Privacy Principles (APPs) applicable to organisations and government agencies covered by the Privacy Act (APP entities). The Federal Court can impose a civil penalty of up to $2.2 million for each contravention of section 13G.

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, enacted in December 2022, has introduced significantly higher civil penalties of $50 million for serious privacy breaches. However, these new penalties will not apply to the AIC’s proceedings against Australian Clinical Labs, given that the alleged conduct occurred before the updated penalty provisions came into effect.

In response to the Privacy Act review report, the Australian Government has agreed to amend section 13G of the Privacy Act to clarify that a “serious” interference can include repeated interferences with privacy. Additionally, they have proposed introducing new mid-tier civil penalty provisions to address privacy breaches that do not meet the threshold of being “serious” and implementing low-level civil penalty provisions for specific administrative breaches of the Privacy Act and APPs, along with infringement notice powers for the OAIC.

As the legal case against unfolds Australian Clinical Labs, it remains to be seen how the case against Australian Clinical Labs will progress and whether it will set a precedent for stringent data protection measures and accountability within the healthcare sector.

Reimagining healthcare across the entire patient journey: Health Industry Hub^TM is the only one-stop-hub bringing the diversity of Pharma, MedTech, Diagnostics & Biotech sectors together to inspire meaningful change in healthcare.

The content on Health Industry Hub is copyright protected and can only be accessed under individual user licenses. To subscribe, please click here and visit T&Cs here.