Australian Clinical Labs / Medlab Breach 2022:
What You Need to Know
Approximately 223,000 patient records were exfiltrated from Medlab Pathology, a subsidiary of Australian Clinical Labs, by the Quantum ransomware group in early 2022. The dataset included approximately 128,000 Medicare numbers, approximately 17,500 pathology test results and approximately 28,000 credit card records. In 2025 the Federal Court ordered ACL to pay $5.8 million in civil penalties - the first such penalty ever ordered under the Privacy Act 1988.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the Medlab Breach Unfolded
February 2022
Attackers (subsequently identified as the Quantum ransomware group) gained initial access to Medlab Pathology, the pathology subsidiary acquired by Australian Clinical Labs (ACL) in 2021. Data was exfiltrated over the following weeks before any detection occurred.
March 2022
ACL detected unusual activity on Medlab's network and engaged external cybersecurity specialists. ACL's initial assessment concluded that no data had been removed from the environment, a conclusion the OAIC later alleged was unreasonable given the available evidence.
June - July 2022
The Quantum ransomware group published approximately 86 GB of stolen Medlab data to its dark web leak site. The Australian Cyber Security Centre (ACSC) notified Medlab of the dark web publication in June 2022, and on 10 July 2022 ACL formally notified the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.
27 October 2022
ACL publicly disclosed the breach via the ASX, confirming approximately 223,000 patient recordswere affected. The dataset included names, addresses, approximately 128,000 Medicare numbers, approximately 17,500 pathology test results and clinical information, and approximately 28,000 patients' partial credit card details.
The public disclosure came roughly three months after ACL had formally notified the OAIC and seven months after first detecting unusual activity.
December 2022
The OAIC opened a formal investigation into ACL's handling of the Medlab breach under the Privacy Act 1988 (Cth).
November 2023
The OAIC filed civil penalty proceedings against ACL in the Federal Court, alleging serious or repeated interferences with privacy under the Privacy Act 1988. This was the first such action pursued under the Notifiable Data Breaches scheme.
2025
The Federal Court ordered Australian Clinical Labs to pay a total of $5.8 million in civil penalties - the first civil penalty ever ordered under the Privacy Act 1988. The penalty comprised $4.2 million for failing to take reasonable steps to protect personal information, $800,000 for failing to carry out a reasonable assessment of whether the breach was an eligible data breach, and $800,000 for failing to notify the OAIC as soon as practicable.
This landmark ruling set the precedent for OAIC enforcement under the post-2022 reformed Privacy Act and signals a more assertive regulatory posture following the Optus and Medibank breaches.
Sources: MinterEllison (OAIC enforcement case analysis), OAIC: Notifiable Data Breaches
What Was Exposed
Personal Data Leaked in the Breach
The breach affected approximately 223,000 patients of Medlab Pathology, the subsidiary of Australian Clinical Labs that operated the compromised systems. The data exposed varies between patients: some had only basic contact information leaked, while others had Medicare numbers, pathology test results, and limited credit card data included in the dataset.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | All approximately 223,000 affected Medlab patients |
| Date of birth | High | All approximately 223,000 affected Medlab patients |
| Home address | High | All approximately 223,000 affected Medlab patients |
| Phone number | High | All approximately 223,000 affected Medlab patients |
| Email address | High | Subset of affected Medlab patients |
| Medicare number | High | Approximately 128,000 patients |
| Pathology test results / clinical information | High | Approximately 17,500 patients (pathology results, diagnoses, referring provider details) |
| Health insurance details | High | Subset of affected Medlab patients |
| Credit card data (limited) | High | Approximately 28,000 patients (partial card data; PCI-DSS standards mean full PAN+CVV were not stored) |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Pathology results and clinical information are rated at the highest level due to their sensitivity and the impossibility of changing or revoking medical history.
Confirmed NOT Exposed
Based on public disclosures, full bank account details (BSB and account number combinations), full credit card numbers with CVV, and account passwords were not part of the leaked dataset. The physical pathology samples themselves are obviously not in scope of a data breach. Limited card data was included for a subset of patients, but PCI-DSS standards mean the full PAN combined with CVV is not stored by compliant merchants.
Company Response
What Australian Clinical Labs Did
“ACL has cooperated fully with the OAIC's investigation and continues to work closely with cyber security experts and authorities. The protection of patient information remains a priority for the business.”
Actions Taken by Australian Clinical Labs
- Engaged external cybersecurity specialists following detection of unusual activity in July 2022
- Notified the Office of the Australian Information Commissioner (OAIC) after the data was published on the dark web in October 2022
- Began contacting affected patients directly with details of their specific exposed data
- Cooperated with the OAIC investigation and subsequent Federal Court enforcement proceedings
- Reviewed and strengthened security controls across the combined ACL and Medlab environments following the incident
What Now?
Steps You Can Take After the Medlab Breach
This breach is particularly sensitive because it included pathology test results and Medicare numbers for a subset of patients, alongside name date of birth home address and phone number for the broader group. Unlike a password, clinical data cannot be changed or reissued, so the risk from this breach is not time-limited. Here are general best-practice steps, organised by the types of accounts most commonly affected.
Health Provider Accounts
Your pathology provider account was exposed. Other health provider portals may use the same email.
Secure your ACL / Medlab patient account
~5 minReview other pathology and health provider accounts
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minUnderstand your full account exposure
Identity and Medicare Protection
Medicare numbers and clinical information carry long-term identity and privacy risks.
Consider a credit ban (especially if your Medicare number was exposed)
~20 minContact Services Australia about Medicare number misuse
~15 minMonitor card statements closely
Recognise the ongoing nature of clinical data exposure
Monitoring and Reporting
Australian resources for breach response and identity protection.
Contact IDCare for tailored guidance on sensitive health data exposure
Stay alert for targeted phishing (including health-related scams)
Not sure which of your accounts are affected?
In The Event Of helps you find the accounts linked to your email and shows your breach exposure, so you can work through a clear, prioritised plan after an incident.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The Medlab breach did not happen in isolation. If your data also appeared in other major Australian health-sector breaches, the combination of leaked information can build a deeply detailed medical and identity profile.
How breach data compounds
On its own, the Medlab breach exposed names, addresses, Medicare numbers, and pathology results for a subset of patients. But if your email also appeared in the Medibank, Genea, MediSecure, or Optus breaches, the combined dataset may include health claims, fertility records, electronic prescriptions, and identity documents. This kind of compound exposure across the health sector significantly increases the risk of identity fraud and targeted medical scams.
- Medibank (2022)9.7M records - health claims, Medicare details
- Genea (2025)940K records - fertility patient data
- MediSecure (2025)12.9M records - electronic prescriptions
- Optus (2022)9.8M records - passport, licence, Medicare numbers
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Frequently Asked Questions
Australian Clinical Labs / Medlab Breach FAQ
Sources
- OAIC: Australian Clinical Labs ordered to pay penalties in relation to Medlab Pathology data breach in first for Privacy Act (2025)
- OAIC: Commences Federal Court proceedings against Australian Clinical Labs Limited (November 2023)
- BleepingComputer: "Australian Clinical Labs says patient data stolen in ransomware attack" (Quantum group attribution)
- BankInfoSecurity: "Medlab Pathology Breach Impacts 223,000 Australians" (breakdown of Medicare / pathology / credit card counts)
- MinterEllison: "Australian Clinical Labs to pay penalties for data breach" (case analysis)
- Australian Clinical Labs
- OAIC: Notifiable Data Breaches scheme
- Services Australia: Medicare
- IDCare: National identity and cyber support service
- OAIC: What is personal information? (Privacy Act 1988 categories)
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
ACMI Data Breach 2026
~25,000 records exposed
Melbourne Film Festival Data Breach 2026
~26,782 records exposed
UWA Callista Student System Data Breach 2026
Undisclosed records exposed
University of Sydney Data Breach 2025
~27K records exposed
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Tangerine Telecom Data Breach 2024
232K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Guides to read next
In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:
Disclaimer:This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing, including the OAIC's 2025 announcement of the Federal Court's $5.8 million civil penalty order against Australian Clinical Labs. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Australian Clinical Labs Limited or Medlab Pathology. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.