Australian Clinical Labs — Acquired Without Inspection

Australian Clinical Labs (ACL) is one of Australia's largest pathology providers. In December 2021, ACL acquired Medlab Pathology, an existing pathology business with around 200 collection centres. With the acquisition came Medlab's existing IT environment, customer record systems and security controls.

ACL's parent organisation maintained a documented information security framework with controls covering access management, vulnerability management, incident response and third-party risk. Acquired entities were nominally subject to the framework. However, in practice, integration of Medlab's IT environment into ACL's controls was deferred. ACL relied on Medlab's pre-existing security arrangements as adequate without performing a documented gap assessment against the parent framework.

In February 2022, an attacker exfiltrated 86 GB of data from a Medlab system, including 223,000 individuals' health information, identity documents and credit card details. ACL was made aware of the incident in February 2022 by both the ACSC and a third party, but did not identify the data exfiltration during its own internal review and concluded no notifiable data breach had occurred. The OAIC was not notified until July 2022, more than four months after ACL had reasonable grounds to suspect a breach. In October 2025, ACL was fined AU$5.8 million.

Investigation showed the compromised Medlab environment had multiple long-standing weaknesses: end-of-life operating systems, missing endpoint monitoring, and incomplete logging - all pre-dating the acquisition. None of these had been raised through ACL's incident response or audit processes during the eight months between acquisition and breach.