Background information
- Date of final decision: 20 May 2024
- National case
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 24 (Responsibility of the controller), Article 32 (Security of processing)
- Decision: Administrative fine, Compliance order
- Key words: Accountability, Administrative fine, Data subject rights, Hacker attack, National identification number, Responsibility of the controller or Sensitive data
Summary of the Decision
Origin of the case
The IT infrastructure of the Company American Heart of Poland S.A. was attacked by hackers, who thus gained access to the detailed personal data of approximately 21 000 individuals. The President of the Personal Data Protection Office found that this occurred because the company had incorrectly estimated the risk to the data. Additionally, during the pandemic, the company did not comply with its own data security policy.
Unauthorised persons gained access to the data of patients and employees of the company. The incident covered a wide range of data, i.e.: surname, first name, parents’ first names, mother’s family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.
The lack of a properly conducted risk analysis, crucial for data protection, led to the company’s failure to implement appropriate organisational and technical measures to protect the processed data. This could have had a real impact on the occurrence of a personal data breach.
Key Findings
The President of the Personal Data Protection Office, in the course of its activities, established that:
- the company had not implemented all the necessary measures to protect the data it was processing, and was unable to determine the cause of the leakage;
- the company did not comply with its own data security recommendations, i.e. it stored customers’ COVID test result information on network drives, whereas medical data should be stored on a dedicated system for processing health data;
- the cloud platform used by the company was too poorly secured. Three servers running at the company’s headquarters did not have up-to-date technical support from the manufacturer (support ended in January 2020). The software on the company’s servers had not been updated through an oversight by IT staff, so a vulnerability was created in the IT system that could have contributed to hackers taking over the devices:
- the company inadequately protected itself against ‘phishing’ attacks, which involve the person attacking the system impersonating another entity (person). According to the findings of the President of the Personal Data Protection Office, in all likelihood, this is how hackers got into the IT system.
Decision
In the decision, the President of the Personal Data Protection Office indicated that the risk analysis should take into account real threats to data processing and properly estimate their level. Risk analysis cannot be an apparent activity performed only to meet the formal requirements of the personal data protection regulations, because then it does not work as an effective way to minmise threats. The President of the Personal Data Protection Office pointed out that ‘even if among the risk factors in the analysis developed by the company, the factors that could cause personal data breaches were taken into account, this was done without the possibility of duly estimating the levels of the aforementioned risks. Thus, the risk analysis was deprived of key information to consciously and in a planned manner minimise the risks associated with data processing and to avoid or limit the occurrence of data breaches in the future.’
The President of the Personal Data Protection Office has imposed a fine of 330 000 € for infringement of Article 5, 24 and 32 of the GDPR and has ordered the controller to bring processing operations into compliance with the provisions of GDPR).
For further information:
- Decision in national language (Polish)
Source: European Data Protection Board