Landmark civil penalty of AU$5.8 million issued under Australia’s privacy act

Key findings

• The Court held that the Company breached Australian Privacy Principle (APP) 11.1(b) by failing to take reasonable steps to protect personal information on acquired computer systems, having regard to the size of their business, the volume and sensitivity of the data, and known cybersecurity risks.
• The Court found that the Company contravened s 26WH of the Privacy Act by failing to carry out a reasonable and expeditious assessment after becoming aware of reasonable grounds to suspect an eligible data breach. It further found that the Company breached s 26WK(2) of the Privacy Act by not providing the Commissioner with a statement about the eligible data breach as soon as practicable.
• The Court concluded the APP 11.1(b) breach constituted an interference with the privacy of over 223,000 individuals and met the statutory seriousness threshold under s 13G(a) of the Privacy Act, such that separate civil penalty contraventions arose under s 13G(a) for each affected individual.
• The Court ordered remediation measures to strengthen the Company’s security, incident response capability and governance. It also imposed the landmark AU$5.8 million penalty. ¹

Factual background

• In 2021, the Company acquired the assets of a pathology business that included the business’ computer systems which contained sensitive health records, contact details and payment card data for over 223,000 patients.
• In February 2022, a ransomware actor deployed ransomware within the acquired computer systems, resulting in exfiltration of large amounts of patient data.
• Upon becoming aware of the incident, the company engaged a third-party cybersecurity investigation firm and appointed an internal incident lead to investigate and remediate the incident. Notably, this internal lead lacked formal incident response training and was unaware of the Company’s procedures for incident response.
• The third-party investigation was narrow, monitoring only a tiny fraction of compromised devices, stopping dark web monitoring relatively quickly and closing its engagement in March 2022.
• Approximately 86 GB of data, including sensitive data, which had been exfiltrated during the incident appeared on the dark web by June 2022.
• A notification by the Company to the Australian Information Commissioner that there had been an eligible data breach under the Privacy Act was not made until July 2022.

Legal analysis

(i) Breach of APP 11.1(b) – Requirement taking reasonable steps to protect personal information

The Privacy Act requires entities to take reasonable steps to safeguard personal information from misuse, interference, loss, and unauthorised access or disclosure. What constitutes “reasonable” depends on factors such as the entity’s nature, data sensitivity, foreseeable risks, practicability of controls, and industry standards.

Opining on APP 11, the Court found that the Company had significant control gaps, including untested or missing incident response playbooks, lack of data loss prevention, limited behavioural detection, inadequate application controls, insufficient log retention, no mandatory multifactor authentication for remote access, and weak recovery and communication plans. The Court determined that these deficiencies represented a substantial departure from reasonable standards expected of a healthcare data custodian and therefore constituted a breach of APP 11.1(b).

(ii) Breach of s 26WH of the privacy act – Reliance on third parties regarding assessment of data breach

Section 26WH of the Privacy Act requires entities to promptly and reasonably assess suspected data breaches within 30 days. To fulfil this obligation, the Company relied on a third-party report that examined only 3 of at least 127 compromised computers and failed to investigate the ransomware group or data exfiltration risks. The Court found this reliance on an outsourced third-party unreasonable, noting the Company was aware of the report’s limited scope and failed to conduct its own assessment, therefore breaching s 26WH(2).

Under the Privacy Act, failure to comply with s 26WH(2) constitutes an interference with individual privacy and, if serious, may attract civil penalties under s 13G(a).

(iii) Breach of s 13G(a) of the privacy act – Civil penalty for “serious” interference with privacy

Section 13G(a) of the Privacy Act allows for civil penalties where an entity’s conduct amounts to a serious interference with privacy. This case marked the first time such a penalty was imposed. The Court considered the breach “serious” due to the highly sensitive nature and volume of personal information involved, elevated cybersecurity risks, and the delayed notification to the Commissioner, which therefore hindered timely notification to affected individuals.

(iv) Orders and remedial requirements

The Court ordered the Company to enhance its security controls, incident response capabilities, and governance, and imposed an AU$5.8 million penalty for breaches of APP 11.1(b), and s 26WH(2), s 26WK(2) and s 13G of the Privacy Act.

Practical takeaways for organisations

• Integrate cyber due diligence into M&A processes: Ensure cybersecurity assessments are a core consideration of merger and acquisition activities in order to identify possible inherited risks and vulnerabilities of acquired companies and assets.
• Operationalise incident response playbooks: Routinely test and train teams on cybersecurity playbooks with clearly defined roles, escalation paths, and procedures for containment and forensic investigation.
• Mandate data forensics and dark web surveillance: In circumstances where data exfiltration is suspected, organisations should require thorough forensic analysis and more continuous dark web monitoring to detect potential personal data exposure.
• Safeguard high-risk health data according to jurisdictional standards: Where health data is classified as sensitive or high risk, implement proportionate data protection controls aligned with applicable legal and regulatory obligations and in-line with regulator expectations.

(i) Specific implications for the healthcare sector

This decision reinforces that organisations handling healthcare personal data must implement tailored and strong technical and governance safeguards necessary to protect the sensitivity of the information. It also highlights the need for buyers of healthcare IT systems to conduct rigorous pre-acquisition cyber due diligence, have a plan for integration of acquisitions to address material gaps in cybersecurity and ensure personnel of the acquired business are aware of the company’s incident response procedures, and clearly allocate contractual responsibility for potential legacy vulnerabilities.

Beyond Australia, the decision signals a broader trend: regulatory and judicial responses to major health data breaches are increasingly scrutinising cyber and governance failures and the adequacy of post-incident response and assessments.

Conclusion

The Australian Federal Court’s decision confirms that Australian courts are willing to impose substantial penalties for systemic failures to protect sensitive personal information and for delays in breach assessment and notification. In this case, penalties were issued under the previous regime, which capped fines at AU$2.22 million per contravention and the total possible fine was reduced due to the company’s ultimate co-operation and efforts to enhance security controls. However, the current framework, which commenced on 13 December 2022, allows for significantly higher penalties of up to AU$50 million, three times the benefit obtained from the conduct, or 30 percent of annual turnover per contravention.

Organisations subject to the Privacy Act should carefully consider the implications of this ruling. It highlights the importance of thorough cyber due diligence in IT acquisitions, timely remediation of inherited vulnerabilities, and strong internal capabilities for breach detection, response and assessment. More broadly, the decision cautions that across jurisdictions, reliance on narrowly scoped third-party reports may cause organisations to fall short of fulfilling breach assessment obligations.

For any assistance on understanding the impact of this decision, feel free to reach out to the authors or your usual Hogan Lovells contact.

Authored by Charmian Aw, Melissa B. Levine, and Ciara O'Leary.