08/26/2024 | Press release | Archived content
The President of the Personal Data Protection Office imposed a fine of PLN 40,000 on the Independent Public Health Care Centre in Pajęczno. As a result of the hacking attack, the Centre lost access to patient and employee data. It only took corrective action after the fact. Before that, it had not carried out a risk analysis for personal data. Therefore, it could not effectively protect personal data - hence the fine.
The hacking attack occurred in February 2022. Malicious ransomware encrypted the personal data of 30,000 patients and more than 1,000 employees. The Health Care Centre notified the Personal Data Protection Office and the police. However, it considered that the attack was not serious, as the data did not leak - they only became inaccessible (an external expert indicated that the data could not be decrypted - the attackers made the decryption of the data conditional on paying a ransom in cryptocurrency).
The President of the Personal Data Protection Office found in the proceedings that the matter was substantial.
As a result, the procedures adopted at the Health Care Centre were not adequate for the risks to personal data. This was proved by an audit already carried out after the attack.
Without having a risk analysis, the Health Care Centre also made mistakes after the incident - it reported its problem to the Personal Data Protection Office and the Police, but failed to notice the problem to the data subjects. The Health Care Centre failed to notify data subjects that it had lost control over data such as their name and surname, parents' names, date of birth, bank account number, residence or stay address, personal identification number (PESEL number), username and/or password, details of earnings or assets held, mother's family name, ID card series and number, telephone number and health data.
The Health Care Centre believed that it did not need to notify those concerned because the data had not been stolen, it just did not have access to the data. However, the findings only show that there is no trace of data leakage. However, this does not mean that the hackers did not copy the data.
Besides, if the Health Care Centre had made a reliable data risk analysis, it would have known that it is not only data leakage that is the problem, but also that patients lose access to their health data. Such a risk cannot be assessed as low. And a different risk qualification would have prompted the Health Care Centre to put better safeguards in place.
In addition to the fine, the President of the Personal Data Protection Office ordered the implementation of appropriate technical and organisational measures to ensure the security of data processing in IT systems within 30 days. He also ordered to notify the data subjects of the incident, explain to them what happened, outline the possible consequences of the incident and indicate who can provide more information on the subject in the Health Care Centre.
DKN.5131.57.2022