The leading private pathology provider has until 7 November to pay up. Plus there’s news from Care GP and Epiminder.
Australian Clinical Labs has become the first company to pay civil penalties ordered under the Privacy Act 1988.
Earlier this month ACL was ordered to pay $5.8 million by the Federal Court in relation to a data breach by its Medlab Pathology business in February 2022.
The breach resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals.
Australian Information Commissioner Elizabeth Tydd welcomed the orders, saying that they “provide an important reminder to all APP entities that they must remain vigilant in securing and responsibly managing the personal information they hold”.
“These orders also represent a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately,” she said.
“Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act.”
The $5.8 million fine was broken down as follows:
- a penalty of $4.2 million for ACL’s failure to take reasonable steps to protect the personal information held by ACL on Medlab Pathology’s IT systems under Australian Privacy Principle 11.1, which amounted to more than to 223,000 contraventions of s 13G(a) of the Privacy Act;
- a penalty of $800,000 for ACL’s failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the cyberattack on the Medlab Pathology IT systems in February 2022, in contravention of s 26WH(2) of the Privacy Act; and
- a penalty of $800,000 for ACL’s failures to prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act.
Justice John Halley said ACL’s contraventions were “extensive and significant”.
“ACL’s most senior management were involved in the decision making around the integration of Medlab’s IT Systems into ACL’s core environment and ACL’s response to the Medlab cyberattack, including whether it amounted to an eligible data breach,” he said.
“ACL’s contraventions … resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems.
“ACL’s contravening conduct … had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.
“The contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.”
Justice Halley also acknowledged that ACL had done some things to reduce the penalties that were finalised imposed.
“ACL … cooperated with the investigation undertaken by the office of the Commissioner”, and it had begun “a program of works to uplift the company’s cybersecurity capabilities” which “satisfied [his Honour] that these actions demonstrate that ACL has sought, and continues to seek, to take meaningful steps to develop a satisfactory culture of compliance”, he said.
His Honour also took into account the apologies made by ACL and the fact that it had admitted liability.
ACL also agreed to pay $400,000 towards the AIC’s legal costs. All penalties must be paid by 7 November.
Samantha rollout booming
Care GP’s Google Gemini-based document processing agent Samantha is being rolled out across 20 of Qualitas Health’s 45 Australian sites, according to ITNews.
The rollout started in August and will be completed over the next eight weeks.
“This hasn’t impacted headcount,” Qualitas’ Queensland and Victoria operations director Rajesh Sharma was quoted as saying.
Related
“The advantage is that humans find that task very laborious. Now the AI does it, so that same workforce can enhance the patient experience where personal interaction is required.
“[People] were staying back a while scanning and trying to complete all these manual processes, but now they see the benefit of doing it on time.
“It’s (now) done in quite a timely way. It’s a repetitive process – I don’t think people enjoyed it.”
Earlier this week Care GP announced that Samantha’s national rollout would be accelerated, after average month-on-month usage growth reached 140% with average contract values of US$5000 (AU$7680).
New CFO for Epiminder
Melbourne medical device company Epiminder has appointed Mark McLellan as its new chief financial officer.
Mr McLellan joins Epiminder following a distinguished career in healthcare finance at Beamtree Holdings, information technology at rhipe (now Crayon), and strategic planning at PwC, Ernst & Young, and the Royal Bank of Scotland.
His expertise spans medical data service commercialisation, supporting high growth technology businesses, and capital markets operations. Previously, he had extensive financial advisory experience supporting businesses through IPOs and private capital raisings, as well as acquisitions and divestments during his time at Ernst & Young, the Royal Bank of Scotland and PwC.
Epiminder’s implantable continuous EEG monitoring system Minder recently received authorisation from the US FDA.