Australian Clinical Labs Limited (ASX: ACL), a leading Australian private provider of pathology services whose NATA accredited laboratories perform a diverse range of pathology tests, has reached an agreement with the Australian Information Commissioner (AIC) to resolve a civil penalty proceeding. The proceeding, commenced in November 2023, relates to a cyberattack on Medlab Pathology that occurred in February 2022, shortly after ACL’s acquisition of the business. ACL has clarified that its own data and IT systems were not impacted by the Medlab Cyberattack.

Under the agreement with the AIC, both parties have filed a Statement of Agreed Facts and Admissions, along with joint submissions, with the Federal Court. They have jointly proposed that ACL pay a penalty of $5.8 million for contraventions of the Privacy Act 1988, in addition to contributing $400,000 towards the AIC’s legal costs. The agreement is still subject to approval by the Federal Court, which has reserved its judgment on the matter.

ACL anticipates that the settlement will not have a material impact on its ongoing operations or financial position beyond the agreed settlement amount. The company has confirmed that following the acquisition of Medlab, its IT systems were integrated into ACL’s infrastructure and are now subject to ACL’s cybersecurity framework and protections.

ACL has reiterated its apology to the Medlab customers and employees affected by the cyberattack. The company says that it remains committed to protecting patient data, ensuring robust data governance, and continuously improving its cybersecurity systems and controls, allowing it to focus on strategic objectives and service delivery. Eleanor Padman, Company Secretary of ACL, authorised the release of the announcement.