DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Administrative fine of €330,000 issued to Polish medical company after a hacking incident

Posted on November 29, 2024 by Dissent

Background information

  • Date of final decision: 20 May 2024
  • National case
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller),  Article 32 (Security of processing)
  • Decision: Administrative fine, Compliance order
  • Key words: Accountability, Administrative fine, Data subject rights, Hacker attack, National identification number,  Responsibility of the controller or  Sensitive data

Summary of the Decision

Origin of the case

The IT infrastructure of the Company American Heart of Poland S.A. was attacked by hackers, who thus gained access to the detailed personal data of approximately 21 000 individuals. The President of the Personal Data Protection Office found that this occurred because the company had incorrectly estimated the risk to the data. Additionally, during the pandemic, the company did not comply with its own data security policy.

Unauthorised persons gained access to the data of patients and employees of the company. The incident covered a wide range of data, i.e.: surname, first name, parents’ first names, mother’s family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.

The lack of a properly conducted risk analysis, crucial for data protection, led to the company’s failure to implement appropriate organisational and technical measures to protect the processed data. This could have had a real impact on the occurrence of a personal data breach.

Key Findings

The President of the Personal Data Protection Office, in the course of its activities, established that:

  • the company had not implemented all the necessary measures to protect the data it was processing, and was unable to determine the cause of the leakage;
  • the company did not comply with its own data security recommendations, i.e. it stored customers’ COVID test result information on network drives, whereas medical data should be stored on a dedicated system for processing health data;
  • the cloud platform used by the company was too poorly secured. Three servers running at the company’s headquarters did not have up-to-date technical support from the manufacturer (support ended in January 2020). The software on the company’s servers had not been updated through an oversight by IT staff, so a vulnerability was created in the IT system that could have contributed to hackers taking over the devices:
    • the company inadequately protected itself against ‘phishing’ attacks, which involve the person attacking the system impersonating another entity (person). According to the findings of the President of the Personal Data Protection Office, in all likelihood, this is how hackers got into the IT system.

Decision

In the decision, the President of the Personal Data Protection Office indicated that the risk analysis should take into account real threats to data processing and properly estimate their level. Risk analysis cannot be an apparent activity performed only to meet the formal requirements of the personal data protection regulations, because then it does not work as an effective way to minmise threats. The President of the Personal Data Protection Office pointed out that ‘even if among the risk factors in the analysis developed by the company, the factors that could cause personal data breaches were taken into account, this was done without the possibility of duly estimating the levels of the aforementioned risks. Thus, the risk analysis was deprived of key information to consciously and in a planned manner minimise the risks associated with data processing and to avoid or limit the occurrence of data breaches in the future.’

The President of the Personal Data Protection Office has imposed a fine of 330 000 € for infringement of Article 5, 24 and 32 of the GDPR and has ordered the controller to bring processing operations into compliance with the provisions of GDPR).

For further information: 

  • Decision in national language (Polish)

Source: European Data Protection Board

Category: Commentaries and AnalysesHackHealth DataNon-U.S.Of Note

Post navigation

← Russia arrests cybercriminal Wazawaka for ties with ransomware gangs
Changes Are Likely on the Horizon for the Federal Healthcare Portfolio, in Areas Including Cybersecurity and in Regulatory Enforcement →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • Privilege Under Fire: Protecting Forensic Reports in the Wake of a Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.