A press release (machine translated) from the Italian data protection regulator, Garante per la Protezione dei Dati Personali:
With reference to the recent hacker attack suffered by Asl 1 Abruzzo, the Guarantor for the protection of personal data reminds that anyone who comes into possession or downloads data published on the dark web by criminal organizations – and uses them for his own purposes or disseminates them online, on social networks or in any other way – incurs unlawful conduct which may, in the cases provided for by law, constitute a crime.
An even more heinous crime, because it concerns health data, such as in particular information on pathologies and medical treatments of people in conditions of vulnerability and fragility.
The Authority therefore warns not to download from the dark web and not to share archives potentially attributable to the ASL 1 Abruzzo with third parties.
So EU law on this is different than U.S. law.