Administrative fine for the Independent Public Health Care Centre in Pajęczno after loss of data

The President of the Personal Data Protection Office imposed a fine of PLN 40,000 on the Independent Public Health Care Centre in Pajęczno. As a result of the hacking attack, the Centre lost access to patient and employee data. It only took corrective action after the fact. Before that, it had not carried out a risk analysis for personal data. Therefore, it could not effectively protect personal data - hence the fine.

The hacking attack occurred in February 2022. Malicious ransomware encrypted the personal data of 30,000 patients and more than 1,000 employees. The Health Care Centre notified the Personal Data Protection Office and the police. However, it considered that the attack was not serious, as the data did not leak - they only became inaccessible (an external expert indicated that the data could not be decrypted - the attackers made the decryption of the data conditional on paying a ransom in cryptocurrency).

The President of the Personal Data Protection Office found in the proceedings that the matter was substantial.

• It was only after the attack that the Health Care Centre reacted to the threat to personal data. It then called in experts, who identified security gaps and recommended changes. Training courses were also held for employees on IT and data security.
• However, the Health Care Centre did not have - which is crucial - documents confirming the preparation and updating of a risk analysis for personal data. Data security was entrusted to an IT specialist who continuously analysed, among other things, vulnerabilities, threats, possible consequences of a breach and security measures to ensure the confidentiality, integrity and accessibility of the personal data processed. This could in no way ensure proper control over data security.

As a result, the procedures adopted at the Health Care Centre were not adequate for the risks to personal data. This was proved by an audit already carried out after the attack.

Without having a risk analysis, the Health Care Centre also made mistakes after the incident - it reported its problem to the Personal Data Protection Office and the Police, but failed to notice the problem to the data subjects. The Health Care Centre failed to notify data subjects that it had lost control over data such as their name and surname, parents' names, date of birth, bank account number, residence or stay address, personal identification number (PESEL number), username and/or password, details of earnings or assets held, mother's family name, ID card series and number, telephone number and health data.

The Health Care Centre believed that it did not need to notify those concerned because the data had not been stolen, it just did not have access to the data. However, the findings only show that there is no trace of data leakage. However, this does not mean that the hackers did not copy the data.

Besides, if the Health Care Centre had made a reliable data risk analysis, it would have known that it is not only data leakage that is the problem, but also that patients lose access to their health data. Such a risk cannot be assessed as low. And a different risk qualification would have prompted the Health Care Centre to put better safeguards in place.

In addition to the fine, the President of the Personal Data Protection Office ordered the implementation of appropriate technical and organisational measures to ensure the security of data processing in IT systems within 30 days. He also ordered to notify the data subjects of the incident, explain to them what happened, outline the possible consequences of the incident and indicate who can provide more information on the subject in the Health Care Centre.

DKN.5131.57.2022