Why securing identity is the fastest path to compliance

Martin Knight, Regional Sales Manager, PAS Specialist, Imprivata APAC

What a landmark Australian privacy ruling reveals about identity, access, and regulatory expectations

In a landmark ruling, the Australian privacy regulator has levied its largest ever fine under the Privacy Act 1988. Australian Clinical Labs (ACL) received an AU$5.8 million fine for a data breach in 2022 that affected the privacy of 223,000 individuals. The attack, which took place in March 2022, stole personal details including sensitive health and financial information, which later appeared on the dark web.

The case illustrates challenges many organizations face, particularly after acquisitions, when inherited systems and identities can introduce unforeseen risk. It also highlights how regulators increasingly expect organizations to demonstrate clear accountability for protecting personal information, even in complex environments. In this context, securing identity and access for privileged and third-party users has emerged as one of the most direct and defensible ways to reduce risk and meet compliance obligations.

An account of the Federal Court’s proceedings has been published by international law firm Bird & Bird, providing some useful insight into how such fines are quantified. The story highlights how regulators increasingly expect cybersecurity issues to be prioritized and addressed promptly once identified.

At the time of the attack ACL had recently completed the $70m acquisition of Medlab Pathology Ltd. The Bird & Bird report stated that it was known that Medlab had cyber security deficiencies, including weak authentication. ACL established a plan to integrate, or decommission, Medlab’s IT systems into its own IT infrastructure. As a precaution Medlab’s systems would be kept separate for 6 months, while assessment and preparation for the integration took place.

Why perimeter controls alone are no longer sufficient

Amongst other deficiencies, Medlab’s environment included several legacy security weaknesses, such as outdated antivirus capabilities, weak authentication, and limited logging retention, which collectively increased exposure. These deficiencies allowed a server to be compromised.

However, despite ACL’s precautions, the Federal Court found that during the six-month period, ACL did not meet its obligations under the Privacy Act, concluding that additional cybersecurity controls were required to adequately protect personal information held within Medlab systems. The Court also found that a reasonable post-incident assessment was not completed within 30 days of the March 2022 cyberattack.

Assessing penalties for the cybersecurity breach

The fine of AU5,8million reflected factors such as no material gain by ACL, a previously good track record of Privacy Act compliance, and proactive action undertaken by the company to improve cybersecurity controls and training of staff.

The Australian Information Commissioner is said to have welcomed the Court’s orders, noting that the case underscores the need for all entities covered by the Privacy Act to remain alert to their obligations and responsibility to protect personal information.

As the first civil privacy case of its kind in Australia, this decision strongly reinforces the risk and cost of delayed security remediation following acquisitions. It also highlights the value — and risk mitigation benefit — of rapidly implementing strong authentication and privileged access controls, particularly when new systems and sensitive data are introduced into an organization.

The “Essential Eight” mitigation strategies for enhanced security posture

Against this backdrop, many organizations look to established frameworks to guide practical, defensible security improvements. The Australian Signals Directorate (ASD) has developed prioritized mitigation strategies to help organizations strengthen their security posture and protect against cyberthreats. The most effective of these mitigation strategies are the Essential Eight, which comprise:

  • Patch applications
  • Patch operating systems
  • Multi-factor authentication
  • Restrict administrative privileges
  • Application control
  • Restrict Microsoft Office macros
  • User application hardening
  • Regular back-ups

Imprivata’s technology supports several of the Essential Eight, particularly the Privileged Access Security suite which provides a range of solutions for providing controlled third-party access to systems and servers, that can be implemented relatively quickly—within days—in complex environments. These solutions support organizations in demonstrating alignment with compliance requirements, and help to protect against regulatory, financial, and reputational exposure due to mergers and acquisitions, and integration scenarios.

For more information about Imprivata’s Privileged Access Security in action, read our case study with University Hospitals of Derby and Burton NHS Foundation Trust.