Australian Clinical Labs has been hit with a class action lawsuit linked to a 2022 cyberattack on Medlab Pathology, alleging breaches of consumer law and duty of care. The company denies the claims and plans a vigorous defence.
- Class action filed in Supreme Court of Victoria over Medlab Pathology data breach
- Claims allege breaches of Australian Consumer Law and duty of care
- Damages sought are unspecified in the claim
- ACL denies allegations and intends to vigorously defend
- Follows prior $6.2 million settlement over the same cyberattack
Class Action Emerges from 2022 Medlab Cyberattack
Australian Clinical Labs (ASX:ACL) has been served with a representative proceeding in the Supreme Court of Victoria relating to a cyberattack on its Medlab Pathology business that occurred in February 2022. The lawsuit, initiated by Michelle Raab-Ivanov on behalf of affected customers, alleges breaches of section 60 of the Australian Consumer Law, as well as breaches of duty of care and equitable duty concerning the handling of personal information compromised in the attack.
The claim targets individuals who were customers of Medlab Pathology or ACL prior to 15 July 2022, but notably does not specify the quantum of damages sought. ACL has publicly denied the allegations and signalled its intention to vigorously defend the claim, underscoring the legal risks it faces from this ongoing fallout.
Legal Challenges Follow Earlier Settlement
This class action follows a $6.2 million settlement ACL reached in September 2025 with the Australian Information Commissioner over the same cyberattack. That settlement included a $5.8 million penalty and legal costs, resolving a Federal Court case. At the time, ACL emphasised that the cyberattack affected only Medlab Pathology’s systems, not its core IT infrastructure, and that Medlab’s IT systems had since been integrated into ACL’s cybersecurity framework.
The emergence of this class action adds a new layer of legal complexity and potential financial exposure for ACL, which had recently reported earnings growth despite market challenges and wage pressures. The company’s latest financial disclosures detailed ongoing efforts to improve efficiency, including AI automation and digitised billing initiatives, which may now run alongside heightened legal and reputational risks related to cybersecurity.
Implications for Investors and Cybersecurity Strategy
While the immediate financial impact of the class action remains uncertain given the unspecified damages, the claim’s allegations of consumer law breaches and duty of care violations highlight the heightened regulatory and legal scrutiny facing healthcare providers in the wake of cyber incidents. ACL’s response and defence strategy will be critical to watch, especially as it manages shareholder expectations amid its ongoing 10% share buy-back program aimed at boosting shareholder value.
Investors will likely be attentive to any updates on the lawsuit’s progress and whether ACL needs to make financial provisions or adjust its cybersecurity measures further. The case also raises broader questions about how medical laboratories balance data security risks with operational demands in an increasingly digitalised healthcare environment.
Bottom Line?
ACL’s legal battle over the Medlab cyberattack underscores the persistent risks of data breaches in healthcare, with outcomes that could influence its financial and reputational standing.
Questions in the middle?
- How will ACL’s defence strategy evolve in response to this class action?
- Could the lawsuit prompt further regulatory scrutiny or operational changes in ACL’s cybersecurity?
- What financial provisions might ACL need to consider if damages are awarded?