The Garante for personal data protection (“Garante”) has fined an ASL (or Local Health Authority) in the province of Naples for 30,000 euros following a hacking attack that affected more than 840,000 people, including patients and employees.
The Local health body (“ASL”) notified the Garante of a data breach, under Article 33 GDPR. The data breach was caused by a ransomware via cyber-attack, which infected the health institution’s network. The ASL stated that there were malfunctions related to the delivery of hospital and laboratory services.
The complex attack specifically affected the lists of users with administrator profiles, thereby blocking access to the ASL’s own IT. Specifically, the software and data of the main and backup data center platforms were affected, and also the relocated data centres for ER, ADT and diagnostic imaging application functions.
Access was via ASL staff credentials found on the dark web, which allowed, via VPN, system administrator privileges. A ransom was also demanded to restore the systems.
After the notification, the Garante proceeded with the necessary inspection activity, during which it found:
– the absence of adequate measures in order to detect the data breach and restore the security of the systems, in violation of the principle of privacy by design. Indeed, access was through an authentication procedure based only on the use of username and password;
– insufficient segmentation of the network facilitated the spread of the virus.
Such serious shortcomings from the point of view of security and privacy by design resulted in a violation of data protection regulations, and in particular those relating:
– to the principle of “integrity and confidentiality” referred to in Art. 5 of the GDPR;
– to the principle of “privacy by design” referred to in Art. 25 of the GDPR;
– to the security obligations set forth in Article 32 of the GDPR.
In quantifying the penalty, the Garante considered the significant number of data subjects (more than 840,000 people) and also the cooperative spirit of the ASL, as well as the non-intentionality of the data breach. Following the attack, moreover, measures were taken to limit the harm suffered by the data subjects and also to prevent the recurrence of similar incidents (such as two-factor authentication). Aggravating, on the other hand, the “sensitive” nature of the breached data, concerning the health of the data subjects, was found to be aggravating.
In conclusion, therefore, the ASL was fined 30,000 euros (an all-too-small sum, despite the seriousness of the incident) for violating the above regulations.
This event, which comes on the heels of a series of sanctioning measures by the Garante against entities belonging to the Public Administration and in particular to the National Health System (NHS), highlights a strong deficiency and lack of attention to data protection and cyber security regulations.
The principle of privacy by design is, and should be, above all a proactive approach to the protection of personal data, incorporating security measures and respect for privacy from the very beginning of the design of a system, product or service. The application of this principle must be geared toward preventing privacy breaches rather than addressing them later, promoting transparency and user control over their data.
DISCLAIMER: This newsletter merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi. The newsletter does not replace individual legal consultation. Macchi di Cellere Gangemi assumes no liability whatsoever for the content and correctness of the newsletter.