Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Nearly 1.5 million zloty fine for a medical company after a hacking attack

PrintMailRate-it

​​​​​​​​​​​​​​published on 22 October 2024 | reading time approx. 5 minutes


The IT infrastructure of the leader in cardiology in Poland was attacked by hackers who gained access to detailed personal data of approx. 21 thousand people. The President of the Personal Data Protection Office (PDPO) found that it happened because the company underestimated the risk related to data protection and failed to comply with its own data security policy.

By decision of 20 May 2024 (file no. DKN.5112.35.2021), the President of the PDPO ruled that the Company had breached Article 5(1)(f) and (2), Article 24(1) and Article 32(1) and (2) of Regulation (EU) 2016/679 by failing to implement:
1) appropriate technical and organisational measures to ensure security of the processing in IT systems and the protection of the rights of data subjects, on the basis of a risk analysis taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons;
2) appropriate technical and organisational measures to ensure regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the personal data processed in IT systems, in particular with regard to vulnerabilities, errors and their possible effects on those systems and the measures taken to mitigate the risk of materialisation.

This behaviour led to a breach of the principle of integrity and confidentiality, as well as the principle of accountability. 

Consequently, the President of the PDPO issued a decision imposing an administrative fine of 1,440,549.00 zloty on the Company for the above breach.

According to the notification submitted by the company, the personal data breach consisted in hackers gaining an unauthorised access to the company's IT resources (network drives) and installing ransomware in the company's IT system, which resulted in the loss of access to and confidentiality of the personal data processed by the company in the system. Then, the company obtained a confirmation of the breach of data confidentiality by accessing the darknet site, using the address provided by the hackers.​

The company learned of the data leak from the hackers, who demanded a 3 million dollar ransom for not disclosing the captured data. 

The confidentiality of the personal data was compromised as the group of hackers disseminated them in the darknet. The compromised personal data included details of the company's patients and employees. The following categories of data were leaked: last name, first name, parents' first names, date of birth, bank account number, address of residence or stay, PESEL number, e-mail address, username or password, data on earnings or property, data concerning health, mother's family (maiden) name, ID number and telephone number.

The supervisory authority found irregularities such as inadequate technical and organisational measures to minimise the risks related to the processing of personal data, in particular those arising from the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed, following an inadequate risk analysis, and the lack of regular testing, measurement and evaluation of the effectiveness of measures to ensure the security of processing.

The President of the PDPO carried out a preliminary inquiry and an investigation of the case and, consequently, initiated administrative proceedings against the company. 

Furthermore, during his investigation, the President of the PDPO established that:
  • the company did not implement all the necessary measures to protect the data it processed and was unable to determine the cause of the leak;
  • the company did not comply with its own data security guidelines, i.e. it stored customers’ COVID test results on network drives, whereas medical data should be stored in a special system dedicated to the processing of data concerning health;
  • the cloud platform used by the company was too poorly secured. Three company servers were no longer supported by the manufacturer. The software on the company’s servers had not been updated through an oversight by IT staff, which created a vulnerability in the IT system that may have contributed to hackers taking over the devices;
  • the company inadequately protected itself against phishing attacks. According to the findings of the President of the PDPO, it is very likely that this is how the hackers got into the IT system.

The company assumed that the data it processed was adequately secured, based only on an internal audit carried out to renew its ISO/IEC 27001:2013 certification. However, this assumption was wrong. The lack of a properly conducted risk analysis, crucial for data protection, led to the company's failure to implement appropriate organisational and technical measures to protect the processed data, which could have had a real impact on the personal data breach.

Furthermore, the company did not regularly test the effectiveness of its IT systems’ security features. In doing so, it deprived itself of an important means of meaningfully assessing the level of risk in data processing. What is more, it acted in the mistaken belief that the above risks were only low or, at most, medium.

As a result of the above findings, the President of the PDPO issued an administrative decision in which he listed irregularities in the company's compliance with data protection regulations and imposed a fine of 1,440,549 zloty. The supervisory authority also ordered the company to enhance its data processing and gave it 30 days to carry out a proper risk analysis and to implement on that basis appropriate technical and organisational measures to ensure data security. The President of the PDPO also obliged the company to implement rules to check the effectiveness of the adopted measures on a regular basis.

In his decision the President of the PDPO indicated that the risk analysis should take into account the real risks for data processing and properly estimate their level. Risk analysis cannot be a sham process performed only to meet the formal requirements of data protection legislation, as it then offers no effective means of risk mitigation. The President of the PDPO pointed out that even if the risk factors described in the company’s analysis included factors that could have caused personal data breach, this was done without the possibility of properly assessing the risk levels. Thus, the risk analysis lacked key information to minimise the risks associated with data processing in a well-informed and planned manner and to avoid or limit the occurrence of data protection breaches in the future.

 DATA PROTECTION BITES

author

Contact Person Picture

Aneta Siwek

Attorney at Law

+48 32 721 23 94

Invia richiesta

 RÖDL & PARTNER POLAND

Discover more about our offices in Poland. Read more »
Deutschland Weltweit Search Menu