Polish SA administrative fine of 330 000 for a medical company after a hacker attack European Data Protection Board

pThe IT infrastructure of the Company American Heart of Poland SA was attacked by hackers who thus gained access to the detailed personal data of approximately 21 000 individuals The President of the Personal Data Protection Office found that this occurred because the company had incorrectly estimated the risk to the data Additionally during the pandemic the company did not comply with its own data security policyppUnauthorised persons gained access to the data of patients and employees of the company The incident covered a wide range of data ie surname first name parents first names mothers family name date of birth data on earnings or assets held health data bank account number residence or stay address personal identification number PESEL number username or password ID card series and number telephone number and email addressppThe lack of a properly conducted risk analysis crucial for data protection led to the companys failure to implement appropriate organisational and technical measures to protect the processed data This could have had a real impact on the occurrence of a personal data breachpp ppThe President of the Personal Data Protection Office in the course of its activities established thatpp ppIn the decision the President of the Personal Data Protection Office indicated that the risk analysis should take into account real threats to data processing and properly estimate their level Risk analysis cannot be an apparent activity performed only to meet the formal requirements of the personal data protection regulations because then it does not work as an effective way to minmise threats The President of the Personal Data Protection Office pointed out that even if among the risk factors in the analysis developed by the company the factors that could cause personal data breaches were taken into account this was done without the possibility of duly estimating the levels of the aforementioned risks Thus the risk analysis was deprived of key information to consciously and in a planned manner minimise the risks associated with data processing and to avoid or limit the occurrence of data breaches in the futureppThe President of the Personal Data Protection Office has imposed a fine of 330 000 for infringement of Article 5 24 and 32 of the GDPR and has ordered the controller to bring processing operations into compliance with the provisions of GDPRppFor further information ppThe news published here does not constitute official EDPB communication nor an EDPB endorsement This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes Any questions regarding this news item should be directed to the supervisory authority concernedp