KG LEGAL \ INFO
BLOG

Computer Security Day and one of the biggest ransomware attacks on medical data in Poland –

Publication date: November 30, 2023

Ransomware attacks and their legal consequences: a threat to cybersecurity

Computer Security Day, the international day for raising cybersecurity awareness, falls on November 30, and just a few days ago the largest medical data leak to date occurred in Poland. The victim of this cyberattack was one of the laboratory networks in Poland, which cooperates with many Polish clinics, hospitals and other medical facilities. The company refused to cooperate with cybercriminals, which resulted in the disclosure of medical and personal data of over 50,000 people. Poles. Unfortunately, the group of hackers announced that if the company does not meet their ransom demands, they will publish the full dataset by December 31, 2023. They include information such as names, surnames, Polish National Security Numbers, addresses, dates of orders and examinations, as well as numbers enabling verification in the laboratory systems.

The company assures that the matter is treated as a priority and has provided information on what steps can be taken to minimize the harmful consequences of possible data leakage. First of all, it recommends setting up an account in the credit and business information system in order to monitor one’s credit activity and reporting the fact of a data breach to the competent authorities in order to prevent the so-called “identity theft”. It is worth mentioning that the Polish Ministry of Digitization responded equally quickly and provided a special tool that allows citizens to check whether the data has been breached.

Ransomware – what is it and why should we be afraid of it?

Ransomware attacks, which are gaining popularity, pose a financial threat and destabilize IT systems. Ransomware is a form of malware that encrypts user data, making it inaccessible, and then demands a ransom in exchange for unlocking it.[1] They usually start by infecting the system via a malicious file or link. To get into it, cybercriminals use various methods, such as phishing[2], exploit Kits[3] or unsecured network connections. Once infected, the malware quickly begins the process of encrypting user data, depriving the user of any access. They then send a ransom demand, most often in the form of cryptocurrency, promising to restore access after paying a fee.

Personal data breach

Such actions have legal consequences, not only those relating to cybercriminals. Ransomware attacks lead to serious violations of data privacy, which leads to serious legal consequences for companies or institutions that have not properly secured them. When we talk about a personal data breach, we mean a security breach leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed[4]. Therefore, if customer or employee data is stolen or lost, the company or institution may be subject to civil liability. In the event of a data protection breach resulting in a risk of violating the rights and freedoms of data subjects, one of the obligations imposed on data controllers is to report the breaches to the supervisory authority, in the case of Poland it is the President of the Personal Data Protection Office. The person responsible for personal data must report the breach without undue delay and no later than 72 hours after noticing the breach[5]. Moreover, in accordance with Art. 34 point 1 of the GDPR[6], the administrator should, in some cases, also notify the data subject about this fact.

Administrative penalties and compensation

It should be noted that there are administrative sanctions for violating the provisions of the GDPR. When the supervisory authority finds a violation of the provisions of the regulation, it may impose an administrative penalty. They should be effective, proportionate and dissuasive. Article 83 of the GDPR defines two bands of administrative fines. For milder infringements, a fine of up to EUR 10 million or 2% of the company’s annual turnover may be imposed. However, a more severe penalty of up to EUR 20 million or 4% of the company’s annual turnover is provided for more serious infringements.

In addition to administrative sanctions, the provisions of the GDPR provide for the possibility of obtaining compensation. Pursuant to Article 82 of the GDPR[7], any person who has suffered material or non-material damage as a result of a breach of his or her personal data has the right to obtain compensation from the person responsible or from the processor for the damage suffered. This means that in the event of property damage, the injured party has the right to seek compensation for the actual damage and reimbursement for lost profits. If non-pecuniary damage has occurred, he is entitled to a claim for compensation for the harm suffered. However, it is important to note that Article 82(3) of the GDPR[8] clearly states that the data controller and the processor are exempt from any liability if they demonstrate that they are not responsible for the event causing the damage. The amount of compensation depends on the type of breach, the amount of data lost and the extent of the damage caused.

Data processing in the laboratory

The processing of personal data in medical laboratories covers many issues related to collecting, analyzing, sharing and storing information about patients and medical tests. Data security, confidentiality and accuracy are extremely important issues in ensuring high-quality patient care. The entire data processing process in the laboratory consists of many stages. The first step is to collect data such as medical history, results of medical tests and laboratory or other diagnostic procedures. They are then registered in the medical laboratory information system. Data is stored securely in accordance with privacy and security guidelines. Depending on the type of information, it may be stored in physical form, but electronic form is becoming more and more common. Moreover, they are encrypted, access to them is controlled and the systems are protected against unauthorized access. However, test results may be used by doctors and other authorized medical personnel to further care for the patient. Older data that is no longer current may be archived in accordance with applicable regulations. There are several ways to prevent medical data breaches. These include, among others: encryption of device memory/files containing personal data, additional user verification mechanisms, such as passwords or PINs, and regularly updated software controlling access to the computer from outside (firewall). The recent ransomware attack on medical data will force the analysis whether the data was adequately encrypted or parsed and secured. The issues to be verified will also be whether the laboratories used external providers of cloud security solutions for medical data and whether the access to data was protected at multiple levels.

Preventing ransomware attacks

An important issue is how to prevent such attacks. First of all, all data sent electronically must be encrypted to prevent access by unauthorized persons. Each stage of data transfer should be carefully monitored and controlled. This includes registration and transfer of data to the destination. This helps identify potential problems and data loss. Medical laboratories must comply with local and international data protection regulations such as GDPR. In addition to encryption, other technical security measures should be used, such as the use of passwords and access authorization. However, the most important thing is the staff. It is the employees responsible for the transmission that should be trained in security procedures to minimize the risk of human error.

Conclusion

Ransomware attacks are an increasingly serious threat to cyberspace. Companies and individuals must meet these risks with protective measures. Compliance with data protection regulations is becoming not only a matter of compliance, but also a fundamental element of legal responsibility in the face of dynamically spreading cybercrime. The analysed case illustrates how complex is the problem of assessing the liability for damage in ransomware attacks on medical data. The focus in such cases should be on the force majeure, dule diligence, and the extent of damage as well as all regulatory duties for data processing and the jurisdiction where the ransomware had taken place.


[1] Ransomware – one of the most serious threats in cyberspace , https://www.gov.pl/web/baza-wiedzy/ransomware–zdrowie-z- najpowazńskich zagrozen -w-cyberstrzeni

[2] Phishing is a type of fraud consisting in impersonating another person or institution in order to extort information, infect equipment with malware or persuade the victim to take specific actions.

[3] It is a tool used by criminals to infect workstations by exploiting vulnerabilities in browsers, operating systems and other programs (most often such as Adobe Flash or Java).

[4] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 4 point 12.

[5]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 33 point 1.

[6] “Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of such breach without undue delay,” Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Art. 34 point 1.

[7] “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation has the right to obtain from the controller or processor compensation for the damage suffered”, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Art. 82 point 1.

[8]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 82 point 3.

UP