Acquisition-driven identity risk: what ACL shows IAM teams

TL;DR: Australia’s largest Privacy Act fine, AU$5.8 million against Australian Clinical Labs, followed a 2022 breach affecting 223,000 people after a Medlab acquisition exposed weak authentication, limited logging, and delayed remediation, according to Imprivata and court reporting. The ruling shows that inherited identities and privileged access can turn post-merger integration gaps into regulatory liability.

NHIMG editorial — based on content published by Imprivata covering the Australian Clinical Labs privacy ruling and acquisition-related identity risk

Questions worth separating out

Q: What breaks when inherited systems keep their old access model after an acquisition?

A: The main failure is that accountability and entitlement ownership no longer line up with the current business structure.

Q: Why do acquisitions increase IAM and PAM risk so quickly?

A: Because the buyer inherits accounts, trust relationships, and technical debt before it has fully validated them.

Q: How do you know if post-merger access governance is actually working?

A: You should be able to show current ownership for every retained account, complete approval history for privileged access, and logs that allow incident reconstruction.

Practitioner guidance

• Revalidate inherited privileged access immediately Review every administrative, support, and third-party account in acquired systems before integration proceeds.
• Treat logging retention as a compliance control Confirm that acquired systems retain logs long enough to support incident reconstruction, privacy reporting, and regulator review.
• Build acquisition checkpoints into IAM and PAM workflows Add identity review, privilege validation, and offboarding verification to every merger or acquisition milestone.

What's in the full analysis

Imprivata's full analysis covers the operational detail this post intentionally leaves for the source:

• The court reasoning behind the AU$5.8 million penalty and how the fine was quantified.
• The acquisition timeline and remediation sequence around Medlab’s separate systems.
• The specific cybersecurity deficiencies identified in the inherited environment, including weak authentication and limited logging retention.
• The Essential Eight control set and how it maps to post-acquisition hardening.

👉 Read Imprivata's analysis of the Australian Clinical Labs privacy ruling →

Acquisition-driven identity risk: what ACL shows IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →