Polish Data Protection Authority Fines Healthcare Company for Data Security Failures

The Polish Data Protection Authority (UODO) has levied a substantial fine of approximately $360,000 USD against a major healthcare provider, identified as A. S.A., for multiple violations of the General Data Protection Regulation (GDPR). This decision follows an extensive investigation into a severe data breach that compromised the personal information of around 150,000 individuals, including both patients and employees.

The incident came to light when A. S.A. reported a data breach to the UODO on an undisclosed date in 2021. The company disclosed that a hacking group, known as "A.", had gained unauthorized access to its IT resources, specifically network drives. The attackers deployed ransomware, resulting in a loss of data availability and confidentiality. On the day of discovery, the company found evidence of the breach on a darknet site, where a sample of employee personal data had been published. The hackers threatened further dissemination of data unless contacted and demanded a ransom of several million US dollars.

Following the breach notification, the UODO conducted an on-site inspection of A. S.A. from November 15 to 19, 2021. The investigation revealed several critical shortcomings in the company's data protection practices. The UODO found that A. S.A. had significantly underestimated the risks associated with its data processing activities. Even after the breach, the company's risk analysis dated August 2, 2021, categorized most risks as "small" or "medium," which the UODO deemed unrealistic given the recent incident.

The investigation uncovered that A. S.A. was using IT systems and software that no longer received manufacturer support or updates. This included at least 30 servers running an unsupported operating system, increasing vulnerability to cyber attacks. Additionally, the company had implemented insufficient password strength requirements for user accounts, particularly for access to cloud platforms.

A. S.A. failed to conduct regular testing, measurement, and evaluation of the effectiveness of its technical and organizational security measures. The UODO noted the absence of a detailed procedure for such testing. Contrary to the company's own policies, sensitive health data was stored on network drives instead of in the designated medical information system (HIS), increasing the exposure of sensitive data to potential breaches.

The UODO criticized A. S.A. for not definitively establishing the root cause of the breach, limiting its ability to prevent similar incidents in the future. Based on these findings, the UODO determined that A. S.A. had violated several key articles of the GDPR, including principles of integrity, confidentiality, and accountability, the responsibility of the controller to implement appropriate technical and organizational measures, and security of processing, including risk assessment and implementation of appropriate security measures.

In addition to the monetary fine, the UODO has ordered A. S.A. to implement appropriate technical and organizational measures to minimize the risks associated with data processing, based on a thorough risk analysis. The company must also establish a system for regular testing, assessing, and evaluating the effectiveness of security measures. These corrective actions must be implemented within 30 days of the decision.

This case serves as a stark reminder to healthcare providers and other organizations processing sensitive personal data of the importance of conducting thorough and realistic risk assessments, maintaining up-to-date systems, implementing strong security measures, and adhering to internal data handling policies. The decision highlights the UODO's growing focus on enforcing GDPR compliance and its willingness to impose significant fines for serious violations.

As cyber threats continue to evolve, this case emphasizes the critical importance of ongoing vigilance, risk assessment, and security improvement in safeguarding personal data and maintaining compliance with data protection regulations. Organizations must take a proactive approach to data protection, particularly in sectors dealing with sensitive health information, to avoid similar penalties and protect the privacy rights of individuals.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.