Key takeaways

This data breach involved significant contraventions of the Privacy Act by Australian Clinical Labs Limited (ACL), one of Australia’s largest private hospital pathology businesses. The Court found ACL had failed to act with sufficient care and due diligence, and that the data breach had the potential for significant harm and an impact on public trust.

Following the acquisition by ACL of the business assets of Medlab Pathology Pty Ltd (Medlab), and despite most of ACL’s senior management being involved in the decision making regarding the integration of Medlab’s business into its own, insufficient attention was given to risks affecting IT systems. Further, ACL failed to adequately respond to a cyber attack and data breach affecting its IT systems and failed to notify the regulator as soon as practicable.

This decision is instructive. It highlights the kinds of penalties that a Court is prepared to apply if data breach occurs. Businesses should not take their privacy and information management obligations for granted. Nor should businesses consider penalties to be a mere cost of doing business, as this penalty demonstrates the seriousness of the consequences of a breach of the Privacy Act.

The decision is further instructive as it highlights standards expected of businesses regarding privacy and information management, including:

1. There should be due diligence on IT systems before acquiring a business
2. IT staff should be appropriately trained, including in cybersecurity and incident response
3. Response plans, communication plans and playbooks should be comprehensive, clear and up to date, with defined roles and responsibilities, detailed containment processes, steps to mitigate exfiltration of data, and also need to be specific to the software and hardware used
4. Suitable antivirus software, strong authentication measures and file encryption ought to be deployed
5. Logs should be retained for sufficient periods to assist if a data breach occurs and to facilitate security monitoring
6. Server systems should be up to date and supported
7. Incident management processes should be tested
8. Data loss prevention measures should be implemented to detect or prevent the theft of personal information and data held
9. Adequate tooling/ products that could perform behavioural-based analysis of activities to determine whether malicious actions might be undetected by an antivirus product should be used
10. Application whitelisting to prevent unknown or unauthorised applications from running should be used
11. Data recovery plans should be developed
12. Multifactor identification should be implemented for use on systems
13. External cybersecurity advice should be comprehensive and appropriate, having regard to the relevant risks, sensitivity of information and the available resources and size of the business.

Background

ACL is one of Australia’s largest private hospital pathology businesses. ACL collects and holds personal and sensitive information, including health information about individual patients, for the purpose of providing test results and issuing invoices.

On 19 December 2021, ACL acquired the assets of Medlab. From that date ACL owned and controlled Medlab’s IT systems.

On or about 25 February 2022, Medlab’s IT systems were impacted by a cyberattack. The cyberattack resulted in 86 gigabytes of data, including the personal and sensitive health information of more than 223,000 individuals, being exfiltrated and subsequently published on the dark web. This information included health information, contact information, credit card information and payment details of the impacted individuals.

Medlab’s IT Team Leader who was initially put in charge of the response had received no training in how to respond to a cyberattack. Whilst ACL’s Head of Technical Services supplied Medlab’s IT Team Leader with a malware and outbreak playbook and ransomware playbook once ACL became aware of the cyberattack, no training was supplied regarding those documents.

External cybersecurity advisors advised ACL that the cyberattack did not cause harm to any individual. Accordingly, ACL considered that the threat posed by the cyberattack had been contained, that there was no evidence suggesting that personal information had been exfiltrated, and that the regulator, OAIC, and affected individuals did not need to be notified of the data breach.

Shortly thereafter, the Australian Cyber Security Centre (ACSC) notified ACL that it had received intelligence that Medlab may have been a victim of a ransomware incident and reminded ACL that it may be required to notify the OAIC and affected individuals.

On or before 16 June 2022, the relevant data exfiltrated from Medlab’s IT systems was published on the dark web. On 16 June 2022, ACSC sent ACL a further notification indicating that Medlab’s data had been published.

A further investigation was undertaken. On 10 July 2022, ACL notified the OAIC that the cyberattack amounted to an ‘eligible data breach’ within the meaning of the Privacy Act.

Issues

The proceedings commenced by OAIC against ACL involved three key issues, as follows:

1. Was there a failure to take reasonable steps to protect personal information?
2. Was there a failure to carry out a reasonable and expeditious assessment?
3. Was there a failure to notify the OAIC of the data breach?

Failure to take reasonable steps to protect personal information

Until they were integrated into ACL’s core IT environment, Medlab’s IT systems had cybersecurity deficiencies. These deficiencies included that:

1. The antivirus software deployed by Medlab computers was not capable of preventing certain malicious files from being written or run on those systems;
2. Medlab computers utilised weak authentication measures;
3. Medlab computers were subject to firewalls that could only log one hour of activity before the logs were deleted;
4. Medlab computers had no form of file encryption;
5. The Medlab network server was running a legacy system of a Windows server that was not supported by Microsoft from 14 January 2020; and
6. The antivirus software deployed on the Medlab server did not prevent or detect a threat actor uploading data from the server to the internet.

ACL did not identify these deficiencies prior to its acquisition of the Medlab assets.

ACL is one of the largest private hospital pathology businesses in Australia, generating revenue of almost $1 billion in the financial year ending June 2022. ACL employed approximately 5,400 staff as at 30 June 2022.

The Court found that ACL did not take such steps as are reasonable in the circumstances to protect the personal information held on the Medlab IT systems from unauthorised access and unauthorised disclosure. The Court had regard to:

1. The size and nature of the business of ACL;
2. The volume and sensitivity of the information;
3. The high cybersecurity risks facing ACL during in the months after acquiring Medlab, and the risk of harm to individuals if their health and other personal information held by ACL on Medlab’s IT systems was accessed and disclosed without authorisation;
4. The deficiencies with Medlab’s IT systems;
5. ACL’s failure to identify Medlab’s IT systems deficiencies prior to their acquisition;
6. The delay in ACL identifying Medlab’s IT systems deficiencies; and
7. The overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.

ACL also admitted its ability to detect and respond by itself to cyber incidents was deficient because:

1. Its playbooks did not clearly define roles and responsibilities for incident response efforts, contained limited detail on containment processes that should be deployed in the event of a cyber incident or steps that ACL should take to mitigate exfiltration of data in the event of a cyber incident, and recommended steps for technologies that were not used within Medlab’s IT systems;
2. There was inadequate testing of incident management processes in the period between the acquisition and the cyberattack;
3. Data loss prevention was not used on Medlab’s IT systems to detect or prevent the theft of personal information and data held on those systems;
4. Adequate tooling/products that could perform behavioural-based analysis of activities to determine whether malicious actions might be undetected by an antivirus product were not used;
5. There was no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers;
6. There were only limited communications plans;
7. The Medlab IT Team Leader had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training;
8. There was limited security monitoring capability because the firewall logs were only retained for one hour;
9. Specific data recovery plans had not been developed; and
10. Medlab staff were not required to use multifactor identification to use the Medlab VPN.

Failure to carry out a reasonable and expeditious assessment

The Court found that the assessment undertaken by the external cyber security advisors that was relied upon by ACL was inadequate. That is:

1. Only 3 computers out of the 127 computers subject to ransomware were monitored by the advisors;
2. No investigation was conducted into the party responsible, and its attack traits to determine whether data was likely to have been exfiltrated;
3. The advisors based their review on only one of the firewall logs, which it did not access until approximately four hours after the ransom demand was first downloaded; and
4. ACL only conducted a limited investigation of whether the party responsible may have established a persistence mechanism to stay connected to the Medlab’s IT systems and its network.

Further, the Court found that ACL was aware of the limited assessment undertaken by its advisors, and it was therefore unreasonable for ACL to rely solely on that assessment that the threat had been contained and that there was no exfiltration of data.

Failure to notify of data breach

Finally, the Court found that by having received the further notification from ACSC on 16 June 2022, that ACL had reasonable grounds to believe that there had been an eligible data breach. Accordingly, ACL ought to have notified OAIC of the data breach forthwith and not taken until 10 July 2022.

Penalty

The Court imposed a penalty of $5.8 million on ACL, comprised of the following:

1. $4.2 million because ACL did not have adequate cybersecurity controls in place, which meant that it did not take reasonable steps to protect the personal information of those individuals that ACL held from unauthorised access, modification or disclosure;
2. $800,000 because ACL failed to take reasonable steps to ensure it carried out a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the circumstances of the cyberattack amounted to an eligible data breach; and
3. $800,000 because there were reasonable grounds to believe that there had been an eligible data breach in the circumstances of the cyberattack, and ACL failed to notify OAIC as soon as practicable.

In addition, ACL was ordered pay, within 30 days, a contribution of $400,000 towards OAIC’s costs in the proceeding.

Should you wish to discuss this decision, data breaches, privacy rights and obligations, please do not hesitate to contact us. We also deliver presentations and training to our clients on privacy laws, data breaches and the implications of privacy law reforms.

Further information / assistance regarding the issues raised in this article is available from the author, Bill Fragos, Special Counsel, Christina Segaan, Senior Associate, or your usual contact at Moray & Agnew.