A

Australian Clinical Labs / Medlab Breach 2022:
What You Need to Know

Approximately 223,000 patient records were exfiltrated from Medlab Pathology, a subsidiary of Australian Clinical Labs, by the Quantum ransomware group in early 2022. The dataset included approximately 128,000 Medicare numbers, approximately 17,500 pathology test results and approximately 28,000 credit card records. In 2025 the Federal Court ordered ACL to pay $5.8 million in civil penalties - the first such penalty ever ordered under the Privacy Act 1988.

Breach detected:July 2022
Records affected:~223,000
Risk level:High

Your personal risk from this breach

Sign in or create a free account to see your personalised risk score.

View My Risk

What Happened

How the Medlab Breach Unfolded

February 2022

Attackers (subsequently identified as the Quantum ransomware group) gained initial access to Medlab Pathology, the pathology subsidiary acquired by Australian Clinical Labs (ACL) in 2021. Data was exfiltrated over the following weeks before any detection occurred.

March 2022

ACL detected unusual activity on Medlab's network and engaged external cybersecurity specialists. ACL's initial assessment concluded that no data had been removed from the environment, a conclusion the OAIC later alleged was unreasonable given the available evidence.

June - July 2022

The Quantum ransomware group published approximately 86 GB of stolen Medlab data to its dark web leak site. The Australian Cyber Security Centre (ACSC) notified Medlab of the dark web publication in June 2022, and on 10 July 2022 ACL formally notified the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.

27 October 2022

ACL publicly disclosed the breach via the ASX, confirming approximately 223,000 patient recordswere affected. The dataset included names, addresses, approximately 128,000 Medicare numbers, approximately 17,500 pathology test results and clinical information, and approximately 28,000 patients' partial credit card details.

The public disclosure came roughly three months after ACL had formally notified the OAIC and seven months after first detecting unusual activity.

December 2022

The OAIC opened a formal investigation into ACL's handling of the Medlab breach under the Privacy Act 1988 (Cth).

November 2023

The OAIC filed civil penalty proceedings against ACL in the Federal Court, alleging serious or repeated interferences with privacy under the Privacy Act 1988. This was the first such action pursued under the Notifiable Data Breaches scheme.

2025

The Federal Court ordered Australian Clinical Labs to pay a total of $5.8 million in civil penalties - the first civil penalty ever ordered under the Privacy Act 1988. The penalty comprised $4.2 million for failing to take reasonable steps to protect personal information, $800,000 for failing to carry out a reasonable assessment of whether the breach was an eligible data breach, and $800,000 for failing to notify the OAIC as soon as practicable.

This landmark ruling set the precedent for OAIC enforcement under the post-2022 reformed Privacy Act and signals a more assertive regulatory posture following the Optus and Medibank breaches.

Sources: MinterEllison (OAIC enforcement case analysis), OAIC: Notifiable Data Breaches

What Was Exposed

Personal Data Leaked in the Breach

The breach affected approximately 223,000 patients of Medlab Pathology, the subsidiary of Australian Clinical Labs that operated the compromised systems. The data exposed varies between patients: some had only basic contact information leaked, while others had Medicare numbers, pathology test results, and limited credit card data included in the dataset.

Data TypeRisk LevelWho Was Affected
Full nameHighAll approximately 223,000 affected Medlab patients
Date of birthHighAll approximately 223,000 affected Medlab patients
Home addressHighAll approximately 223,000 affected Medlab patients
Phone numberHighAll approximately 223,000 affected Medlab patients
Email addressHighSubset of affected Medlab patients
Medicare numberHighApproximately 128,000 patients
Pathology test results / clinical informationHighApproximately 17,500 patients (pathology results, diagnoses, referring provider details)
Health insurance detailsHighSubset of affected Medlab patients
Credit card data (limited)HighApproximately 28,000 patients (partial card data; PCI-DSS standards mean full PAN+CVV were not stored)

Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Pathology results and clinical information are rated at the highest level due to their sensitivity and the impossibility of changing or revoking medical history.

Confirmed NOT Exposed

Based on public disclosures, full bank account details (BSB and account number combinations), full credit card numbers with CVV, and account passwords were not part of the leaked dataset. The physical pathology samples themselves are obviously not in scope of a data breach. Limited card data was included for a subset of patients, but PCI-DSS standards mean the full PAN combined with CVV is not stored by compliant merchants.

Company Response

What Australian Clinical Labs Did

“ACL has cooperated fully with the OAIC's investigation and continues to work closely with cyber security experts and authorities. The protection of patient information remains a priority for the business.”
Australian Clinical Labs, public statements on the Medlab breach

Actions Taken by Australian Clinical Labs

  • Engaged external cybersecurity specialists following detection of unusual activity in July 2022
  • Notified the Office of the Australian Information Commissioner (OAIC) after the data was published on the dark web in October 2022
  • Began contacting affected patients directly with details of their specific exposed data
  • Cooperated with the OAIC investigation and subsequent Federal Court enforcement proceedings
  • Reviewed and strengthened security controls across the combined ACL and Medlab environments following the incident

What Now?

Steps You Can Take After the Medlab Breach

This breach is particularly sensitive because it included pathology test results and Medicare numbers for a subset of patients, alongside name date of birth home address and phone number for the broader group. Unlike a password, clinical data cannot be changed or reissued, so the risk from this breach is not time-limited. Here are general best-practice steps, organised by the types of accounts most commonly affected.

Health Provider Accounts

Your pathology provider account was exposed. Other health provider portals may use the same email.

Secure your ACL / Medlab patient account

~5 min
It is generally considered best practice to update the password on any Australian Clinical Labs or Medlab patient portal associated with exposed data. Enabling MFA where available adds a significant layer of protection. Consider reviewing recent activity for any unauthorised access or changes.
Go to Australian Clinical Labs

Review other pathology and health provider accounts

Where the same email address or password has been used across other pathology providers (Healius, Sonic Healthcare), GP patient portals, or My Health Record, consider updating credentials on those accounts as well. Credential reuse remains one of the most common ways a single breach leads to broader exposure across the health sector.

Email and Digital Identity

Your email is the key to your digital identity. Securing it is a sensible first step.

Strengthen email security

~5 min
Updating the password and enabling MFA on email accounts associated with the breach is widely recommended. It is also worth checking email forwarding rules and connected app permissions, as these can be exploited to silently intercept communications, including communications from your health providers.

Understand your full account exposure

Most people have dozens of online accounts linked to a single email address. When that email is exposed in a breach, understanding which services are connected is a critical first step in assessing personal risk. Tools that map your digital footprint can help identify accounts that may need attention.

Identity and Medicare Protection

Medicare numbers and clinical information carry long-term identity and privacy risks.

Consider a credit ban (especially if your Medicare number was exposed)

~20 min
For those whose Medicare number or date of birth was included in the exposed data, the risk of identity fraud is elevated. Placing a free credit ban with Australian credit bureaus prevents new credit from being opened in your name without additional verification.

Contact Services Australia about Medicare number misuse

~15 min
If a Medicare number was included in the breach, it is worth contacting Services Australia to discuss potential protections. A replacement Medicare card with a new number may be available where there is evidence of misuse or a heightened risk of identity fraud.
Services Australia: Medicare

Monitor card statements closely

For patients whose credit card data was included (approximately 28,000 records), reviewing card statements for unfamiliar transactions is a sensible precaution. Although PCI-DSS standards prevent storage of full PAN+CVV combinations, partial card data is still useful for fraud reconnaissance and targeted scams.

Recognise the ongoing nature of clinical data exposure

Unlike a password or credit card, exposed pathology results and clinical information cannot be changed, reissued, or revoked. This means the risk from this breach is not time-limited. It is prudent to remain alert to any unexpected contact that references medical history, pathology results, or specific referring providers, and to treat such contact with caution regardless of how legitimate it may appear.

Monitoring and Reporting

Australian resources for breach response and identity protection.

Contact IDCare for tailored guidance on sensitive health data exposure

IDCare (1800 595 160) is Australia's national identity and cyber support service and provides free, tailored guidance for people affected by data breaches. IDCare is particularly useful where sensitive health data has been exposed, as their case managers can help develop a personalised response plan covering Medicare, credit, and medical identity protection.

Stay alert for targeted phishing (including health-related scams)

Exposed name Medicare number and pathology results may be used to craft highly convincing phishing messages. Some phishing attempts may reference specific test results, referring GPs, or medical conditions to appear legitimate. Treat any unsolicited contact referencing Medlab, ACL, or specific pathology details with caution, and verify directly through official channels.

Report to Scamwatch or lodge a complaint with the OAIC

Reporting to Scamwatch contributes to broader awareness and helps authorities track emerging threats. Affected patients can also lodge a privacy complaint directly with the OAIC if they believe their personal information was mishandled.

Not sure which of your accounts are affected?

In The Event Of helps you find the accounts linked to your email and shows your breach exposure, so you can work through a clear, prioritised plan after an incident.

Check My Email Free

Are You Still at Risk?

The Hidden Danger: Compound Breach Exposure

The Medlab breach did not happen in isolation. If your data also appeared in other major Australian health-sector breaches, the combination of leaked information can build a deeply detailed medical and identity profile.

How breach data compounds

On its own, the Medlab breach exposed names, addresses, Medicare numbers, and pathology results for a subset of patients. But if your email also appeared in the Medibank, Genea, MediSecure, or Optus breaches, the combined dataset may include health claims, fertility records, electronic prescriptions, and identity documents. This kind of compound exposure across the health sector significantly increases the risk of identity fraud and targeted medical scams.

  • Medibank (2022)9.7M records - health claims, Medicare details
  • Genea (2025)940K records - fertility patient data
  • MediSecure (2025)12.9M records - electronic prescriptions
  • Optus (2022)9.8M records - passport, licence, Medicare numbers

If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.

Were you affected?

Find out in 30 seconds. Free to check.

Check My Email Free

No credit card required.

Frequently Asked Questions

Australian Clinical Labs / Medlab Breach FAQ

Other Major Australian Data Breaches

Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.

ACMI Data Breach 2026

~25,000 records exposed

High

Melbourne Film Festival Data Breach 2026

~26,782 records exposed

High

UWA Callista Student System Data Breach 2026

Undisclosed records exposed

Medium

University of Sydney Data Breach 2025

~27K records exposed

High

NYC Health + Hospitals Data Breach 2026

~1.8M records exposed

Critical

Australian Courts Data Breach 2026

Thousands of files records exposed

Critical

youX Data Breach 2026

~444K records exposed

High

Prosura Data Breach 2026

300K-500K records exposed

High

Canvas (Instructure) Data Breach 2026

~275M (claimed) records exposed

Medium

Booking.com Data Breach 2026

Undisclosed records exposed

High

McGraw Hill Data Breach 2026

13.5M records exposed

High

Crunchyroll Data Breach 2026

Undisclosed records exposed

High

Eurail Data Breach 2026

300K+ records exposed

High

Basic-Fit Data Breach 2026

1M records exposed

High

Under Armour Data Breach 2025

72M records exposed

High

Salesforce (ShinyHunters) Data Breach 2025

~1B records exposed

High

Allianz Life Data Breach 2025

2.8M records exposed

High

Workday Data Breach 2025

Undisclosed records exposed

Medium

Western Sydney University Data Breach 2025

10K records exposed

High

Genea Fertility Data Breach 2025

940K records exposed

Critical

DeepSeek Data Breach 2025

1M records exposed

Medium

Tangerine Telecom Data Breach 2024

232K records exposed

High

Qantas Data Breach 2025

5.7M records exposed

High

Optus Data Breach 2022

9.8M records exposed

Critical

Medibank Data Breach 2022

9.7M records exposed

Critical

Latitude Financial Data Breach 2023

14M records exposed

Critical

MyDeal (Woolworths) Data Breach 2022

2.2M records exposed

High

Guides to read next

In The Event Of is an Australian digital footprint manager that helps you find the accounts linked to your email, see your breach exposure, and work through a prioritised action plan. These guides walk through the steps:

Disclaimer:This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing, including the OAIC's 2025 announcement of the Federal Court's $5.8 million civil penalty order against Australian Clinical Labs. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Australian Clinical Labs Limited or Medlab Pathology. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.