defence connect logo



Australians exposed by new corporate data breach

Australians exposed by new corporate data breach

The personal information of 223,000 individuals, including medical records and credit card numbers, has been exposed by yet another corporate cyber attack.

The personal information of 223,000 individuals, including medical records and credit card numbers, has been exposed by yet another corporate cyber attack.

Australian Clinical Labs Limited (ACL) has reported a data breach impacting Medlab Pathology, a pathology business acquired by ACL in December 2021.

The breach has exposed the personal information of Medlab’s patients and staff, with a forensic analysis identifying approximately 223,000 individual victims, mostly based in NSW and Queensland.


The personal information exposed by the breach includes:

  • ~17,539 individual medical and health records associated with a pathology test;
  • ~28,286 credit card numbers and individuals’ names — ~15,724 of which have expired and ~3,375 have a CVV code; and
  • ~128,608 Medicare numbers (not copies of cards) and an individual’s name.

ACL has notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).

According to ACL, it is yet to identify evidence of “misuse of any of the information or any demand made of Medlab or ACL”.

In response to the incident, ACL decommissioned the compromised Medlab server, which is reportedly no longer in use.

Further, ACL reported that its broader systems and databases are not affected by the incident.

Medlab reportedly became aware of an unauthorised third-party access to its IT system in February 2022 and “coordinated a forensic investigation led by independent external cyber experts”.

However, the investigation did not find any evidence that information had been compromised.

A month later, the company was contacted by the ACSC, which revealed it had received intelligence that Medlab may have been the victim of a ransomware incident.

Accordingly, the company responded to the request for information, reporting it was not aware any data was compromised.

In June, ACL was approached by the ACSC for a second time, notifying Medlab that information had been posted on the dark web.

ACL then took steps to find and download the complex and unstructured dataset from the dark web and made efforts to permanently remove it.

After consulting with cyber specialists, ACL launched a program to determine the nature of the information involved and any individuals at risk of serious harm as a result of the incident.

This program has reportedly produced the findings now released to the market.  

ACL will now directly contact affected individuals at risk of the breach.

“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred,” ACL CEO Melinda McGrath said.

“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected. We are in the process of providing tailored notifications to the individuals involved.

“We want to assure all individuals involved that ACL is committed to providing every reasonable support to them. We will continue to work with the relevant authorities.”

This is the latest of a series of corporate cyber attacks reported in recent months, including the attacks on Optus, Medibank, and Woolworths.

[Related: Optus hacked; customers at risk of fraud after personal data exposed  ]

You need to be a member to post comments. Become a member for free today!