Publication date: November 21, 2024
The risk analysis should take into account real threats to data processing and properly estimate their level. Risk analysis cannot be a superficial activity performed solely to meet the formal requirements of the personal data protection regulations, because then it does not function as an effective way to minimize threats – learnings from the most current decision of the Polish Office for Personal Data Protection imposing a fine on a medical company undergoing ransomware attack.
The hacker attack that recently took place in Poland and affected a company from the medical sector is a perfect example of serious threats related to the protection of sensitive data[1]. The leakage of patient information – such as personal data, PESEL numbers, addresses, as well as medical data – not only poses a serious risk to privacy, but also indicates potential negligence on the part of the data controller. Below, we will present in detail the nature of this incident, the issue of legal liability, the procedures required after the attack, and the regulations applicable in such situations.
The incident involved the leakage of personal data, including sensitive patient information, due to a ransomware attack. Cybercriminals exploited vulnerabilities in the company’s security systems, which allowed them unauthorized access to databases. Such attacks typically involve encrypting information on the victim’s system and demanding a ransom to unlock it.
In this case, the data that may have been compromised included:
Due to the sensitive nature of this data, an incident not only poses the risk of data being used for criminal purposes (e.g. fraud, fake loans), but also the violation of the dignity and privacy of those whose data has been disclosed. Such breaches can result in serious financial and reputational consequences for the company.
Ransomware is one of the most serious threats in cybersecurity[2]. In this case, it is likely that exploits were used[3] tools that allow for the exploitation of a system’s weaknesses—or phishing[4] could introduce malware into the company’s network.
The healthcare sector is particularly vulnerable to such attacks because:
The data controller, i.e. the entity managing and processing personal data, is responsible for their protection. In this case, the controller should have implemented appropriate technical and organizational measures to protect the data from unauthorized access.
Key aspects of responsibility:
If there is negligence, the President of the Office for the Protection of Personal Data may impose a financial penalty, the amount of which depends on the scale of the breach and its effects[6]. In extreme cases, it may amount to 20 million euros or 4% of the company’s annual global turnover.
In the event of a breach of personal data protection, the data controller is obliged to:
After an incident, an entrepreneur should immediately take a series of actions to minimize the effects of the incident and protect data from further breaches. The first step is to immediately block access to systems affected by the attack, and then remove detected security gaps, which will protect the remaining data resources from possible further attempts to breach them.
The next important step is to assess the scale of the breach, which involves identifying the type and scope of data that may have been compromised and conducting a risk analysis of the potential consequences for data subjects. Based on this, the business should implement new security measures, such as improved data encryption or more advanced leak prevention systems. Security policies should also be developed and implemented, including regular backups and testing of systems to ensure their effectiveness in the future.
Equally important is proper crisis management in terms of communication. The entrepreneur should act transparently towards the injured parties, clearly informing them about the incident and the corrective steps taken. Cooperation with the media and public authorities is crucial to minimize the negative effects on the organization’s reputation and ensure compliance with applicable regulations.
The Office for Personal Data Protection plays a key role in supervising compliance with the provisions resulting from the GDPR, ensuring the protection of personal data and ensuring that the actions of administrators comply with the applicable regulations. Within the scope of its competences, the Office for Personal Data Protection conducts explanatory proceedings aimed at analyzing the circumstances and actions taken by entities processing data, and in the event of irregularities, it may impose appropriate sanctions.
In relation to the discussed case, the Office may assess whether the security measures applied by the administrator were adequate and sufficient to protect the processed data. If necessary, it will also initiate administrative proceedings to determine whether there has been a violation of the law. Additionally, based on its findings, the Office for the Protection of Personal Data issues recommendations regarding the introduction of actions and procedures aimed at preventing similar incidents in the future.
In the analysed case, the company learned about the data leak from hackers who demanded a ransom of $3 million for not disclosing the intercepted data. The company notified the President of the Personal Data Office about the incident, and the people whose data had been leaked informed about the threat related to the incident.
The President of the Office conducted explanatory and control activities in this matter, and as a result initiated administrative proceedings against the company.
In addition, the President of the Office established in the course of the activities carried out that:
– the company had not implemented all the necessary measures to protect the data it processed, and was also unable to determine the cause of the leak;
– the company had not followed its own recommendations regarding data security, i.e. it stored information about the results of COVID tests of customers on network drives, while medical data should be stored in a special system intended for processing health data;
– the cloud platform used by the company was too poorly secured. Three servers operating at the company’s headquarters did not have current technical support from the manufacturer (support ended in January 2020). The software on the company’s servers was not updated due to an oversight by IT specialists, which is why a gap appeared in the IT system that could have contributed to hackers taking over the devices;
– the company did not properly protect itself against “phishing” attacks, consisting in the person attacking the system impersonating another entity (person). According to the findings of the President of the Office, it is very likely that this is how hackers got into the IT system.
The company assumed that the level of security of the data it processed was appropriate only on the basis of an internal audit conducted there, the purpose of which was to extend the validity of the ISO/IEC 27001:2013 certificate. However, this assumption was incorrect. The lack of a properly conducted risk analysis, which is crucial for data protection, led to the company’s failure to implement appropriate organizational and technical measures to protect the processed data. This could have had a real impact on the occurrence of a breach of personal data protection.
In addition, the company did not regularly test the effectiveness of IT system security. In this way, it deprived itself of an important means of reliably assessing the level of risk in data processing. Moreover, it acted in the erroneous belief that the above risks were only small or, at most, medium.
As a result of the above findings, the President of the Office issued an administrative decision in which it found irregularities in the company’s compliance with the provisions on personal data protection and imposed a fine on it in the amount of PLN 1,440,549. The President of the Office ordered the company to improve the way it processes data and set it a deadline of 30 days to conduct a proper risk analysis for the processes of data processing by it and to implement appropriate technical and organizational measures to ensure data security on this basis. The President of the Office also obliged the company to implement the principles of regular verification of the effectiveness of the adopted measures.
In the decision, the President of the Data Protection indicated that the risk analysis should take into account real threats to data processing and properly estimate their level. Risk analysis cannot be a superficial activity performed solely to meet the formal requirements of the personal data protection regulations, because then it does not function as an effective way to minimize threats. The President of the Office pointed out that “even if the risk factors in the analysis prepared by the company included factors that could cause personal data protection violations, this was done without the possibility of properly estimating the levels of the above risks. Thus, the risk analysis was deprived of key information that would allow for conscious and planned minimization of risks related to data processing and for avoiding or limiting the occurrence of data protection violations in the future.”
To analyze the incident the following should be used:
[1]Art. 1 sec. 1 and 2 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781) introduces the scope of personal data protection in Poland in accordance with the GDPR.
[2]https://www.ncsc.gov.uk/ransomware/home
[3]https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-exploit.html
[4]https://www.proofpoint.com/us/threat-reference/phishing
[5]https://bibliotekanauki.pl/articles/276556.pdf
[6] https://uodo.gov.pl/pl/138/3273 ; https://www.uodo.gov.pl/decyzje/DKN.5112.35.2021
[7]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016, No. 119, p. 1, as amended).