A ransomware attack on a Toowoomba pharmacy has resulted in the leak of sensitive patient data, including medical records and NDIS information. The DragonForce ransomware group has claimed responsibility, highlighting the growing threat to Australian healthcare providers.
Australian Clinical Labs (ACL) has agreed to a $5.8 million penalty following a 2022 data breach at its subsidiary, Medlab Pathology. The breach, orchestrated by the Quantum ransomware group, exposed the sensitive data of 223,000 Australians, prompting regulatory action from the OAIC.
WestJet has issued a further notice on its June cyber incident, confirming passenger data was exposed though payment details remain secure. The update comes amid rising aviation cyberattacks, including a recent Collins Aerospace breach that disrupted major European airports.
Australian Clinical Labs (ACL) has agreed to a $5.8 million penalty following a 2022 data breach at its subsidiary, Medlab Pathology. The breach, orchestrated by the Quantum ransomware group, exposed the sensitive data of 223,000 Australians, prompting regulatory action from the OAIC.
Cyber News Centre's cyber update for 1st October 2025: Australian Clinical Labs (ACL) has agreed to a $5.8 million penalty following a significant 2022 data breach at its subsidiary, Medlab Pathology.
Australian Clinical Labs is a major provider of pathology services across Australia. The company acquired Medlab Pathology in December 2021, expanding its network of laboratories and collection centres.
The Update: Australian Clinical Labs (ACL) has formally agreed to a $5.8 million penalty to resolve Federal Court proceedings initiated by the Office of the Australian Information Commissioner (OAIC). The action follows a 2022 data breach at Medlab Pathology, which ACL had acquired months earlier.
The breach, attributed to the Quantum ransomware group, resulted in the theft of 86 gigabytes of data, compromising the personal and medical information of approximately 223,000 Australians. Exposed data included health records, personal identification, and credit card and Medicare details.
ACL first reported the incident in October 2022 after being notified by the Australian Cyber Security Centre (ACSC) that the stolen data had been published on the dark web. The company has also agreed to contribute $400,000 towards the OAIC’s legal costs. The proposed penalty is now awaiting final approval from the Federal Court.
“ACL would like to again apologise to the Medlab customers and employees that were impacted as a result of this cyber attack. While the Medlab cyber attack was isolated to the newly acquired Medlab business, we remain steadfast in our commitment to the protection of patient data, data governance and continuously improving our cyber security systems and controls,” - ACL said in a 29 September statement. An image of the full statement is included further down this page.
Why it Matters: This substantial penalty highlights the increasing financial consequences for organisations that fail to protect sensitive data. The case demonstrates the OAIC’s willingness to take significant enforcement action, setting a precedent for future data breaches in Australia.
For the healthcare sector, it is a stark reminder of the immense responsibility that comes with holding sensitive patient information and the critical need for robust cyber security measures, particularly during mergers and acquisitions. The exposure of detailed health and financial information creates long-term risks for the 223,000 affected individuals, including potential identity theft and targeted fraud.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
A ransomware attack on a Toowoomba pharmacy has resulted in the leak of sensitive patient data, including medical records and NDIS information. The DragonForce ransomware group has claimed responsibility, highlighting the growing threat to Australian healthcare providers.
WestJet has issued a further notice on its June cyber incident, confirming passenger data was exposed though payment details remain secure. The update comes amid rising aviation cyberattacks, including a recent Collins Aerospace breach that disrupted major European airports.
Volvo Group North America has disclosed a data breach exposing employee data after a ransomware attack on its HR supplier, Miljdata. The incident highlights the growing threat of supply chain attacks and their far-reaching consequences.
Perth-based operational technology firm Intellect Systems has been targeted by the Akira ransomware group, which claims to have stolen 10GB of sensitive corporate and personal data. The attack highlights the growing threat to the critical infrastructure sector through vulnerable network devices.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
