Background information
- Date of final decision: 13 June 2024
- National case
- Legal references: Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing), Article 34 (Communication of a personal data breach to the data subject).
- Decision: Administrative fine, Communication order personal data breach, Compliance order
Summary of the Decision
Origin of the case
As a result of a hacking attack, the Centre lost access to patient and employee data. It only took corrective action after the fact. Before that, it had not carried out a risk analysis for personal data. Therefore, it could not effectively protect personal data.
The hacking attack occurred in February 2022. Malicious ransomware encrypted the personal data of 30,000 patients and more than 1,000 employees. The Health Care Centre notified the Personal Data Protection Office and the police. However, it considered that the attack was not serious, as the data did not leak - they only became inaccessible (an external expert indicated that the data could not be decrypted - the attackers made the decryption of the data conditional on paying a ransom in cryptocurrency).
The Health Care Centre failed to notify data subjects that it had lost control over data such as their name and surname, parents' names, date of birth, bank account number, residence or stay address, personal identification number (PESEL number), username and/or password, details of earnings or assets held, mother's family name, ID card series and number, telephone number and health data.
Key findings
The President of the Personal Data Protection Office found in the proceedings that the matter was substantial.
- It was only after the attack that the Health Care Centre reacted to the threat to personal data. It then called in experts, who identified security gaps and recommended changes. Training courses were also held for employees on IT and data security.
- However, the Health Care Centre did not have – which is crucial – documents confirming the preparation and updating of a risk analysis for personal data. Data security was entrusted to an IT specialist who continuously analysed, among other things, vulnerabilities, threats, possible consequences of a breach and security measures to ensure the confidentiality, integrity and accessibility of the personal data processed. This could in no way ensure proper control over data security.
As a result, the procedures adopted at the Health Care Centre were not adequate for the risks to personal data. This was proved by an audit already carried out after the attack.
Without having a risk analysis, the Health Care Centre also made mistakes after the incident - it reported its problem to the Personal Data Protection Office and the Police, but failed to recognise the problem to the data subjects.
Decision
The President of the Personal Data Protection Office imposed a fine of 9 300 € on the Independent Public Health Care Centre in Pajęczno for infringement of Articles 5, 24, 25, 32 and 34 of the GDPR. In addition to the fine, the President of the Personal Data Protection Office ordered the implementation of appropriate technical and organisational measures to ensure the security of data processing in IT systems within 30 days. He also ordered to notify the data subjects of the incident, explain to them what happened, outline the possible consequences of the incident and indicate who can provide more information on the subject in the Health Care Centre.
For further information:
- Decision in national language (Polish)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.