In The Event Of
Get started free
A

Australian Clinical Labs / Medlab Breach 2022:
What You Need to Know

Approximately 223,000 patient records were exfiltrated from Medlab Pathology, a subsidiary of Australian Clinical Labs. The dataset included Medicare numbers, pathology results, and limited credit card data. The OAIC is now pursuing a precedent-setting enforcement case in the Federal Court.

Breach detected:July 2022
Records affected:~223,000
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Medlab Breach Unfolded

February 2022

Attackers gained initial access to Medlab Pathology, the pathology subsidiary acquired by Australian Clinical Labs (ACL) in 2021. Data was exfiltrated over the following weeks before any detection occurred.

July 2022

ACL detected unusual activity on Medlab's network and engaged external cybersecurity specialists. ACL's initial assessment concluded that no data had been removed from the environment — a conclusion that would later prove incorrect.

October 2022

Attackers published approximately 223,000 patient recordson a dark web leak site, contradicting ACL's earlier assessment. The data included names, addresses, Medicare numbers, pathology results, and limited credit card information.

Late October 2022

ACL publicly confirmed the breach, notified the Office of the Australian Information Commissioner (OAIC), and began contacting affected patients. The disclosure came roughly three months after the initial detection of unusual activity.

2023

The OAIC commenced enforcement proceedings in the Federal Court against Australian Clinical Labs, alleging serious or repeated interferences with privacy under the Privacy Act 1988. This is one of the first major Notifiable Data Breaches (NDB) scheme enforcement actions pursued by the regulator.

2024-2026

The OAIC enforcement case continues to progress through the Federal Court. The proceedings are widely regarded as a precedent-setting moment for Australian privacy regulation and signal a more assertive enforcement posture from the regulator following the Optus and Medibank breaches.

This guide is being published in 2026 because the OAIC enforcement case remains live, and the Medlab dataset continues to surface in identity-fraud kits used today.

Sources: MinterEllison (OAIC enforcement case analysis), OAIC: Notifiable Data Breaches

What Was Exposed

Personal Data Leaked in the Breach

The breach affected approximately 223,000 patients of Medlab Pathology, the subsidiary of Australian Clinical Labs that operated the compromised systems. The data exposed varies between patients: some had only basic contact information leaked, while others had Medicare numbers, pathology test results, and limited credit card data included in the dataset.

Data TypeRisk LevelWho Was Affected
Full nameHighAll approximately 223,000 affected Medlab patients
Date of birthHighAll approximately 223,000 affected Medlab patients
Home addressHighAll approximately 223,000 affected Medlab patients
Phone numberHighAll approximately 223,000 affected Medlab patients
Email addressHighSubset of affected Medlab patients
Medicare numberHighSubset of affected Medlab patients
Pathology test results / clinical informationHighSubset of affected Medlab patients (pathology results, diagnoses, referring provider details)
Health insurance detailsHighSubset of affected Medlab patients
Credit card data (limited)HighApproximately 17,500 patients (partial card data; PCI-DSS standards mean full PAN+CVV were not stored)

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Pathology results and clinical information are rated at the highest level due to their sensitivity and the impossibility of changing or revoking medical history.

Confirmed NOT Exposed

Based on public disclosures, full bank account details (BSB and account number combinations), full credit card numbers with CVV, and account passwords were not part of the leaked dataset. The physical pathology samples themselves are obviously not in scope of a data breach. Limited card data was included for a subset of patients, but PCI-DSS standards mean the full PAN combined with CVV is not stored by compliant merchants.

Company Response

What Australian Clinical Labs Did

“ACL has cooperated fully with the OAIC's investigation and continues to work closely with cyber security experts and authorities. The protection of patient information remains a priority for the business.”
Australian Clinical Labs, public statements on the Medlab breach

Actions Taken by Australian Clinical Labs

  • Engaged external cybersecurity specialists following detection of unusual activity in July 2022
  • Notified the Office of the Australian Information Commissioner (OAIC) after the data was published on the dark web in October 2022
  • Began contacting affected patients directly with details of their specific exposed data
  • Cooperated with the OAIC investigation and subsequent Federal Court enforcement proceedings
  • Reviewed and strengthened security controls across the combined ACL and Medlab environments following the incident
OAIC: Notifiable Data BreachesMinterEllison: Enforcement Case AnalysisAustralian Clinical Labs

What Now?

Steps You Can Take After the Medlab Breach

This breach is particularly sensitive because it included pathology test results and Medicare numbers for a subset of patients, alongside name date of birth home address and phone number for the broader group. Unlike a password, clinical data cannot be changed or reissued, so the risk from this breach is not time-limited. Here are general best-practice steps, organised by the types of accounts most commonly affected.

Health Provider Accounts

Your pathology provider account was exposed. Other health provider portals may use the same email.

Secure your ACL / Medlab patient account

~5 min
It is generally considered best practice to update the password on any Australian Clinical Labs or Medlab patient portal associated with exposed data. Enabling MFA where available adds a significant layer of protection. Consider reviewing recent activity for any unauthorised access or changes.
Go to Australian Clinical Labs

Review other pathology and health provider accounts

Where the same email address or password has been used across other pathology providers (Healius, Sonic Healthcare), GP patient portals, or My Health Record, consider updating credentials on those accounts as well. Credential reuse remains one of the most common ways a single breach leads to broader exposure across the health sector.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on email accounts associated with the breach is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these can be exploited to silently intercept communications, including communications from your health providers.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email address. When that email is exposed in a breach, understanding which services are connected is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

Identity and Medicare Protection

Medicare numbers and clinical information carry long-term identity and privacy risks.

Consider a credit ban (especially if your Medicare number was exposed)

~20 min
For those whose Medicare number or date of birth was included in the exposed data, the risk of identity fraud is elevated. Placing a free credit ban with Australian credit bureaus prevents new credit from being opened in your name without additional verification.
Equifax AUExperian AU (formerly Illion)

Contact Services Australia about Medicare number misuse

~15 min
If a Medicare number was included in the breach, it is worth contacting Services Australia to discuss potential protections. A replacement Medicare card with a new number may be available where there is evidence of misuse or a heightened risk of identity fraud.
Services Australia: Medicare

Monitor card statements closely

For patients whose credit card data was included (approximately 17,500 records), reviewing card statements for unfamiliar transactions is a sensible precaution. Although PCI-DSS standards prevent storage of full PAN+CVV combinations, partial card data is still useful for fraud reconnaissance and targeted scams.

Recognise the ongoing nature of clinical data exposure

Unlike a password or credit card, exposed pathology results and clinical information cannot be changed, reissued, or revoked. This means the risk from this breach is not time-limited. It is prudent to remain alert to any unexpected contact that references medical history, pathology results, or specific referring providers, and to treat such contact with caution regardless of how legitimate it may appear.

Monitoring and Reporting

Australian resources for breach response and identity protection.

Contact IDCare for tailored guidance on sensitive health data exposure

IDCare (1800 595 160) is Australia's national identity and cyber support service and provides free, tailored guidance for people affected by data breaches. IDCare is particularly useful where sensitive health data has been exposed, as their case managers can help develop a personalised response plan covering Medicare, credit, and medical identity protection.

Stay alert for targeted phishing (including health-related scams)

Exposed name Medicare number and pathology results may be used to craft highly convincing phishing messages. Some phishing attempts may reference specific test results, referring GPs, or medical conditions to appear legitimate. Treat any unsolicited contact referencing Medlab, ACL, or specific pathology details with caution, and verify directly through official channels.

Report to Scamwatch or lodge a complaint with the OAIC

Reporting to Scamwatch contributes to broader awareness and helps authorities track emerging threats. Affected patients can also lodge a privacy complaint directly with the OAIC if they believe their personal information was mishandled.

Not sure which of your accounts are affected?

In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The Medlab breach did not happen in isolation. If your data also appeared in other major Australian health-sector breaches, the combination of leaked information can build a deeply detailed medical and identity profile.

How breach data compounds

On its own, the Medlab breach exposed names, addresses, Medicare numbers, and pathology results for a subset of patients. But if your email also appeared in the Medibank, Genea, MediSecure, or Optus breaches, the combined dataset may include health claims, fertility records, electronic prescriptions, and identity documents. This kind of compound exposure across the health sector significantly increases the risk of identity fraud and targeted medical scams.

  • Medibank (2022)9.7M records - health claims, Medicare details
  • Genea (2025)940K records - fertility patient data
  • MediSecure (2025)12.9M records - electronic prescriptions
  • Optus (2022)9.8M records - passport, licence, Medicare numbers

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Australian Clinical Labs / Medlab Breach FAQ

Sources

  1. MinterEllison: "Australian Clinical Labs to pay penalties for data breach" (OAIC enforcement case analysis)
  2. Australian Clinical Labs
  3. OAIC: Notifiable Data Breaches scheme
  4. Services Australia: Medicare
  5. IDCare: National identity and cyber support service
  6. OAIC: What is personal information? (Privacy Act 1988 categories)

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High
View all breach guides →

Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments, including any outcome of the ongoing OAIC enforcement proceedings. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Australian Clinical Labs Limited or Medlab Pathology. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.