December 18, 2024
Context of the attack:
Yesterday, the APD Litigation Chamber fined a Belgian hospital €200,000 for security breaches discovered after a ‘ransomware’ attack in 2021 affected its servers and paralysed part of its computer system.
The intrusion was carried out by a hacker in Asia via the Microsoft Exchange email server. The hacker uninstalled the anti-virus and then installed a malicious program. This enabled him to create an ‘administrator’ account and control access, and the equivalent of 5 gigabytes of information was exported by the hacker during the attack. As a result, the emergency department was closed for 3 days and it took the hospital almost 12 days to fully remediate the consequences of the breach, including the functionality of staff email accounts.
The hospital notified the APD of the personal data breach and issued a press release to inform the public. Due to the indicators of increased risk (i.e., special categories of personal data involved and more than 300,000 individuals affected), an inspection was carried out and the APD provided the hospital with questionnaires relating to the investigation of the incident.
Findings of the DPA:
The report confirmed that the data breach was undoubtedly the result of an external intrusion into defendant’s infrastructure from Asia. The report also identified a number of breaches of data protection obligations. In particular:
1. Violation of Article 35.3 of the GDPR due to the absence of a data protection impact assessment
The DPIA shall cover all processing activities, including staff email accounts (where sensitive data is processed through these means), as it is clear that this was the origin of the breach and that it ultimately affected the servers containing patient records, particularly X-rays:
P. 65 and 66: “Even if the attack had only targeted staff e-mail accounts, the fact that the latter enable sensitive data of vulnerable individuals to be processed on a large scale therefore requires the defendant to comply with its obligation to carry out a DPIA concerning such processing, irrespective of whether such data is encrypted during the sending of electronic messages.
(…) It is clear from the investigation report that the hospital’s servers were paralyzed (including the software supporting medical records), and that the latter ceased to be operational as a result of the attack ”
In addition, the Chamber stated that risk assessments carried out by the hospital’s auditors or that the DPIA had been commissioned could not be considered to meet the requirement.
2. Violation of Articles 5.1.f and 32 of the GDPR due to the non-existence of an effective and formal security and privacy policy at the time of the data breach
The hospital had a number of documents in place following the data breach, but they were not linked or referenced to each other and were not focused on security and privacy, some of them related to healthcare and others were IT agreements. In addition, sector-specific regulations require the implementation of a formal policy, which was not the case.
P. 78: “(…) prior to this date, the information security policy consisted of a set of documents (see paragraph 84). However, the implementation of a set of documents with no link between them, nor reference to each other, with purposes unrelated to the implementation of technical and organizational measures provided for by the GDPR, does not constitute “appropriate technical and organizational measures” to address risks, within the meaning of Article 32.1 of the RGPD. In addition, the Minimum Standards (…) require a formal policy (…)”
3. Violation of Articles 5.1.f, 24 and 32 of the GDPR due to the ineffectiveness of the policy and/or procedure for updating the security of IT equipment (software)
The so-called policy consisted of a series of consultancy contracts entered into by the hospital to ensure monthly monitoring of its installations. It also mentioned the measures taken following the data breach. The result of the investigation was that the flaw exploited by the hacker was due to a vulnerability in the Microsoft Exchange server, so only checking firewalls and anti-virus gateways did not prevent the exploitation of this type of vulnerability, which is considered ‘critical’ due to its ease of exploitation. The solution is proper patch management, which the EDPS included as one of the most important security measures in his guidelines 01/2021 of 14 December on examples of data breach notification.
4. Violation of Articles 5.1.f, 24 and 32 of the RGPD due to other missing security measures, namely:
- The lack of an adequate and regular data protection training/awareness programme for employees, adapted to their functions. It should be noted that while phishing training is useful, it is not sufficient to cover the important aspects of personal data protection;
- The absence of a system to preserve logs for later analysis in the event of an incident, which is designed to prevent logs from being deleted or encrypted;
- The absence of regular testing, analysis and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing, including hardware and software, to ensure a level of security appropriate to the risk;
- Weak security of the password for access to the patients computerised file, which the APD recommends should be at least 12 characters and include a dual authentication mechanism.
APD’s decision on the case:
In view of the above, the APD initially proposed a fine of €3,000,000 which was reduced to €200,000 to take account of the controller’s turnover and legal measures.
MyData-TRUST is a company specializing in privacy and data protection for life and science, we are constantly monitoring the developments of this legislation to provide the best service to our clients.
