TL;DR: Australia’s largest Privacy Act fine, AU$5.8 million against Australian Clinical Labs for a 2022 breach affecting 223,000 people, shows how inherited systems, weak authentication, and delayed remediation can turn acquisition risk into regulatory liability, according to Imprivata and Bird & Bird. Identity and privileged access controls now sit at the centre of defensible post-merger security.
NHIMG editorial — based on content published by Imprivata: What a landmark Australian privacy ruling reveals about identity, access, and regulatory expectations
By the numbers:
- Australian Clinical Labs received an AU$5.8 million fine for a data breach in 2022 that affected the privacy of 223,000 individuals.
Questions worth separating out
Q: What breaks when inherited systems keep their original access model after an acquisition?
A: The organisation loses clear accountability over who can access sensitive systems, which increases the chance that weak authentication, stale admin rights, and poor logging persist into the combined estate.
Q: Why do acquisitions make privileged access governance harder?
A: Because the acquiring organisation inherits accounts, permissions, and exception handling that were designed under a different operating model.
Q: How can security teams tell whether identity controls are effective after a merger?
A: Look for evidence that privileged users are inventoried, logging is retained long enough to support incident reconstruction, and legacy access is being reduced rather than tolerated.
Practitioner guidance
- Inventory inherited identities immediately Map every privileged user, service account, third-party account, and shared admin path in the acquired estate before integration begins.
- Restrict administrative access during the integration window Move inherited admin access to the minimum set required for continuity, then convert standing privilege to reviewed, time-bound access until the estate is normalised.
- Validate logging and retention before decommission decisions Confirm that audit logs, retention settings, and time synchronisation are sufficient to reconstruct access and response decisions across both environments.
What's in the full analysis
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- How the Federal Court quantified the penalty and weighed remediation behaviour, compliance history, and delay.
- The specific sequence of acquisition, system separation, and integration planning that shaped the breach response.
- The Essential Eight mitigation strategies discussed in relation to post-breach security posture.
- Imprivata's Privileged Access Security context for controlled third-party access in complex environments.
👉 Read Imprivata's analysis of the Australian privacy ruling and acquisition risk →
Acquisition-driven identity risk: what the Australian ruling means?
Explore further
Acquisition does not reset identity risk: inherited systems carry their own access history, privilege model, and security debt. The problem is not simply that two environments have to be merged, but that the acquiring organisation inherits accounts and controls it may not fully understand. In practice, merger governance fails when identity due diligence is treated as a paperwork exercise instead of an operational control boundary.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which shows how quickly identity debt accumulates when ownership and privilege are unclear.
A question worth separating out:
Q: Who is accountable when a breach occurs in an acquired environment?
A: Accountability sits with the organisation that owns the data and the systems at the time of the breach, even if the environment was inherited through acquisition. Regulators will still expect the parent entity to demonstrate timely assessment, strong access controls, and a credible remediation plan.
👉 Read our full editorial: Australian privacy ruling shows identity failures after acquisition