Nearly PLN 1.5 million fine for a medical company after a hacker attack
The IT infrastructure of the Company American Heart of Poland SA was attacked by hackers, who thus gained access to the detailed personal data of approximately 21,000 individuals. The President of the Personal Data Protection Office found that this occurred because the company had incorrectly estimated the risk to the data. Additionally, during the pandemic, the company did not comply with its own data security policy.
Unauthorised persons gained access to the data of patients and employees of the company. The incident covered a wide range of data, i.e.: surname, first name, parents' first names, mother's family name, date of birth, data on earnings or assets held, health data, bank account number, residence or stay address, personal identification number (PESEL number), username or password, ID card series and number, telephone number and email address.
The company learned of the data leakage from hackers, who demanded a $3 million ransom for not disclosing the intercepted data. The company notified the President of the Personal Data Protection Office of the incident, and informed those whose data had leaked of the risks associated with the incident.
The President of the Personal Data Protection Office carried out explanatory and inspection activities in this case and, following them, initiated administrative proceedings against the company.
Furthermore, the President of the Personal Data Protection Office, in the course of its activities, established that:
- the company had not implemented all the necessary measures to protect the data it was processing, and was unable to determine the cause of the leakage;
- the company did not comply with its own data security recommendations, i.e. it stored customers' COVID test result information on network drives, whereas medical data should be stored on a dedicated system for processing health data;
- the cloud platform used by the company was too poorly secured. Three servers running at the company's headquarters did not have up-to-date technical support from the manufacturer (support ended in January 2020). The software on the company's servers had not been updated through an oversight by IT staff, so a vulnerability was created in the IT system that could have contributed to hackers taking over the devices
- the company inadequately protected itself against ‘phishing’ attacks, which involve the person attacking the system impersonating another entity (person). According to the findings of the President of the Personal Data Protection Office, in all likelihood, this is how hackers got into the IT system.
The company assumed that the level of security of the data it was processing was adequate, solely on the basis of an internal audit carried out at the company to extend the validity of the ISO/IEC 27001:2013 certificate. However, this assumption was incorrect. The lack of a properly conducted risk analysis, crucial for data protection, led to the company's failure to implement appropriate organisational and technical measures to protect the processed data. This could have had a real impact on the occurrence of a personal data breach.
In addition, the company did not regularly test the effectiveness of the security features of its IT systems. In doing so, it deprived itself of an important means of meaningfully assessing the level of risk in data processing. Moreover, it acted in the mistaken belief that the aforementioned risks were only at a low or, at most, medium level.
As a result of the above findings, the President of the Personal Data Protection Office issued an administrative decision in which he found irregularities in the company's compliance with the provisions on personal data protection and imposed a fine of PLN 1,440,549. He ordered the company to improve the way it processes data and set a deadline of 30 days for the company to conduct a proper risk analysis of its data processing operations and to implement, on this basis, appropriate technical and organisational measures to ensure data security. The President of the Personal Data Protection Office also obliged the company to implement rules to regularly check the effectiveness of the adopted measures.
In the decision, the President of the Personal Data Protection Office indicated that the risk analysis should take into account real threats to data processing and properly estimate their level. Risk analysis cannot be an apparent activity performed only to meet the formal requirements of the personal data protection regulations, because then it does not work as an effective way to minimise threats. The President of the Personal Data Protection Office pointed out that ‘even if among the risk factors in the analysis developed by the company, the factors that could cause personal data breaches were taken into account, this was done without the possibility of duly estimating the levels of the aforementioned risks. Thus, the risk analysis was deprived of key information to consciously and in a planned manner minimise the risks associated with data processing and to avoid or limit the occurrence of data breaches in the future.’
The full text of the decision of the President of the Personal Data Protection Office, can be read (in Polish) at the following link: