“Given the highly complex and unstructured nature of the data-set being investigated, it has taken the forensic analysts and experts until now to determine the individuals and the nature of their information involved,” it said in a statement. Its shares slumped over 12 per cent on the news but made up some ground to close 5.4 per cent weaker at $3.35.

Australian Clinical Labs said it believed the best way of minimise harm to patients whose data was stolen was to contact them directly with tailored notifications.

Loading

The Office of the Australian Information Commissioner, which enforces privacy laws, was told of the breach on July 10, and is making preliminary inquiries about Medlab’s compliance with laws that force firms to report data breaches promptly.

“Under the notifiable data breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the [commissioner’s office] as quickly as possible if they experience a data breach that is likely to result in serious harm to individuals whose personal information is involved,” a spokesman said.

The information commission has previously said it “does not consider that tailoring notifications justifies delay in notifying affected individuals”. The watchdog’s commissioner, Angelene Falk, emphasised earlier this year that any delays in telling hack victims can make it harder for them to protect themselves.

A spokeswoman for the Australian Securities and Investments Commission said: “ASIC is reviewing the matter and working closely with [the] ASX, as we do for all disclosure matters.”

Australian Clinical Labs chief executive Melinda McGrath, who the company did not make available for interview, issued a written statement apologising for the incident.

“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected,” McGrath said. “We are in the process of providing tailored notifications to the individuals involved.”

“We want to assure all individuals involved that ACL is committed to providing every reasonable support to them.”

The company said that to date, it was not aware of any misuse of the information or ransom demand and was offering free credit monitoring and document replacement to customers who require it.

The Australian Cyber Security Centre declined to comment while a spokeswoman for Services Australia, which manages Medicare cards, said it had received data from Medlab on Thursday and was identifying customers whose card information had been taken in the hack.

“The agency will apply additional security measures to the records provided by Medlab and will continue to monitor for unauthorised activity,” the spokeswoman said.

Exposed Medicare cards can be replaced for free, with new numbers used straight away via the Express Plus Medicare app.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.