In approximately February 2022, Australian Clinical Labs’ Medlab Pathology subsidiary suffered a ransomware attack that exfiltrated approximately 223,000 patients’ sensitive medical and personal data. The stolen data included pathology test results, Medicare numbers, credit card numbers, health insurance information, and medical conditions. The attackers (attributed to the Quantum ransomware group) exfiltrated the data before deploying ransomware. ACL didn’t fully notify affected patients until March 2023 — over a year after the breach — which became the central compliance issue. The Office of the Australian Information Commissioner (OAIC) investigated and in July 2025, the Federal Court imposed a civil penalty of AUD 1.425 million on ACL for failing to take reasonable steps to protect patient data and for the delayed notification — the first civil penalty ever imposed under Australia’s Privacy Act 1988. The case set a landmark precedent for Privacy Act enforcement in Australia.