OAIC opens investigation into Medlab data breach

The Office of the Australian Information Commissioner (OAIC) has launched an investigation into how Medlab Pathology, owned by Australian Clinical Lab, handled the personal information of customers and staff following a recent data breach.

In February this year Medlab experienced a cyber incident involving the personal information of its patients and staff.

In an announcement made to the Australian Securities Exchange (ASX) in October, the company said it conducted a forensic analysis of the information accessed during the cyber breach, determining that approximately 223,000 individuals had been affected.

The firm confirmed that information “of different levels of concerns” was accessed during the incident, including of individuals mostly based in New South Wales and Queensland.

Records accessed “of most concern” included around 17,539 individual medical and health records associated with a pathology test, around 28,286 credit card numbers and individuals’ names, and approximately 128,608 Medicare numbers and one individual’s name.

The OAIC’s decision to investigate the matter followed inquiries which commenced in October, with the investigation to focus on whether Medlab had taken reasonable steps “to protect the personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and whether they complied with the Notifiable Data Breaches (NDB) scheme.

The investigation will also look at the firm’s practices, procedures and systems and to what degree they ensured compliance with the Australian Privacy Principles (APPs).

“If the OAIC’s investigation satisfies the Commissioner that an interference with the privacy of individuals has occurred, the Commissioner may make a determination which can include declarations requiring Medlab to take steps to ensure the act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice.”

The Commissioner has the power to seek civil penalties through the Federal Court of up to $2.2 million for each contravention.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said that organisations needed also to be proactive in minimising the risk of data breaches.

“As the risk of serious harm to individuals can increase over time, a key focus for the OAIC is the time taken by entities to identify, assess and notify the office and affected individuals of data breaches,” she said.

Under the NDB scheme, organisations covered by the Privacy Act 1988 must notify affected individuals and the OAIC as soon as practicable if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved.

In its 5 December announcement to the ASX, Australian Clinical Labs said that it had kept the OAIC abreast of the progress of the forensic investigations into the incident and responded to all requests for information.

The company stressed that in October both OAIC and the Australian Cyber Security Centre (ACSC) had been notified of the incident, as well as its affected customers.

“Medlab has now contacted all individuals whose contact information was available to Medlab to provide them with information about the incident, how it affects them and steps that can be taken to protect their information,” the firm said in the announcement.

“To date, there is no evidence of misuse of any of the information involved in the incident. The compromised Medlab server was de-commissioned and is no longer in use. ACL’s broader systems and databases remain unaffected by the incident.”

Medlab first became aware of the unauthorised third-party access to its IT system in February 2022, and in March the company was contacted by the ACSC which had received intelligence that Medlab might have been the victim of a ransomware incident.

In June, ACL was again approached by the ACSC which informed the firm that it believed that Medlab information had been posted on the dark web.

In response, ACL said it took immediate steps to find and download a “highly complex and unstructured dataset” from the dark web and made efforts to permanently remove it.

ACL also implemented a program to determine the nature of the information involved and any individuals that could be at risk of serious harm as a result of the incident.

ACL’s view at that time was that, given the nature of its relationship with the affected individuals, the most effective way to minimise the potential harm to those individuals was to directly contact them by way of individually tailored notifications as soon as practicable.