Australian Clinical Labs (ACL)

In February 2022, **Australian Clinical Labs (ACL)**, a major pathology-services provider, suffered a **massive data breach** exposing the **personal data of 21.5 million individuals**. The incident led to a prolonged legal battle with **Australia’s privacy watchdog**, culminating in a pending settlement after the Federal Court of Australia canceled a two-week trial in favor of a **half-day hearing on liability and penalties**. The breach compromised sensitive health-related information, triggering regulatory scrutiny and potential financial penalties. The scale of the leak—affecting nearly the entire Australian population—highlights severe lapses in data protection, with long-term reputational and compliance risks for ACL. The case underscores the growing legal and operational consequences of large-scale data breaches in highly regulated sectors like healthcare.

Source: https://www.mlex.com/mlex/data-privacy-security/articles/2388961/australian-clinical-labs-lawsuit-over-2022-data-breach-may-be-nearing-settlement

TPRM report: https://www.rankiteo.com/company/australian-clinical-labs

"id": "aus1332813091725",
"linkid": "australian-clinical-labs",
"type": "Breach",
"date": "2/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'customers_affected': '21.5 million',
                        'industry': 'Healthcare',
                        'location': 'Australia',
                        'name': 'Australian Clinical Labs (ACL)',
                        'type': 'Pathology-services provider'}],
 'data_breach': {'number_of_records_exposed': '21,500,000',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personal data)',
                 'type_of_data_compromised': 'Personal data'},
 'date_publicly_disclosed': '2022-02',
 'description': 'Australian Clinical Labs (ACL), a pathology-services '
                'provider, experienced a data breach in February 2022 that '
                'compromised the personal data of 21.5 million people. The '
                'incident led to a long-running lawsuit by Australia’s privacy '
                'watchdog, which appears to be nearing settlement as of '
                'September 2025. The Federal Court of Australia canceled the '
                'originally scheduled two-week trial, replacing it with a '
                'half-day hearing on liability and penalty.',
 'impact': {'brand_reputation_impact': 'Long-running lawsuit and regulatory '
                                       'scrutiny',
            'data_compromised': 'Personal data of 21.5 million people',
            'identity_theft_risk': 'High (personal data of 21.5 million '
                                   'exposed)',
            'legal_liabilities': 'Lawsuit by Australia’s privacy watchdog; '
                                 'potential settlement and penalties'},
 'investigation_status': 'Ongoing (settlement hearing scheduled for September '
                         '29, 2025)',
 'references': [{'date_accessed': '2025-09-17', 'source': 'MLex Insight'}],
 'regulatory_compliance': {'legal_actions': 'Lawsuit by Australia’s privacy '
                                            'watchdog; settlement hearing '
                                            'scheduled for September 29, 2025',
                           'regulations_violated': ['Australian Privacy Act '
                                                    '(implied)'],
                           'regulatory_notifications': 'Federal Court of '
                                                       'Australia involved; '
                                                       'privacy watchdog '
                                                       'enforcement case'},
 'title': 'Australian Clinical Labs Data Breach (February 2022)',
 'type': 'Data Breach'}