Cyber Incident Victim: Australian Clinical Labs Limited

In February 2022, Australian Clinical Labs Limited (ACL) detected unauthorized access to Medlab Pathology's systems but initially found no evidence of data compromise. The Australian Cyber Security Center (ACSC) contacted ACL in March 2022 to warn of a suspected ransomware attack. By June 2022, Australian cybersecurity authorities alerted ACL that stolen Medlab data had appeared on dark web forums available for download. The ransomware-as-a-service group Quantum, an offshoot of the Conti operation, claimed responsibility for the breach by publishing an 86-gigabyte file on its leak site. ACL publicly disclosed the incident on October 27, 2022, attributing the four-month delay between dark web identification and notification to the complexity of analyzing the "highly complex and unstructured" dataset. Forensic investigators required this period to identify affected individuals and categorize the types of compromised information.

The breach exposed personal and medical data of approximately 223,000 individuals, primarily residents of New South Wales and Queensland. Compromised data included disease diagnoses, pathology test results, payment card details, and national insurance (Medicare) numbers. Approximately 60% of affected individuals had their Medicare identifiers exposed, while 12% had credit card numbers compromised. Medical records associated with pathology tests were confirmed as posted online for 8% of victims. ACL stated the compromised server responsible for the data theft had been decommissioned and confirmed no impact to other systems. The company initiated direct notifications to affected individuals following the October disclosure but reported no evidence of information misuse or extortion demands. This incident occurred amid a series of high-profile Australian cyberattacks, including breaches at Optus and Medibank, though no operational connection between these events was established in the available evidence.