The IT infrastructure of American Heart of Poland SA fell victim to a cyber-attack, during which hackers gained access to the detailed personal data of around 21,000 individuals. The President of the Personal Data Protection Office (UODO) stated that serious neglect in risk assessment and improper observance of data security policy by the Company was the cause of this incident.
The hacker attack granted unauthorized individuals access to a broad range of patients’ and employees’ information. Leaked information included names, parent names, mother’s maiden names, birth dates, earnings data, asset status, health, bank account numbers, residential addresses, social security numbers (PESEL), login data, ID card numbers, phone numbers, and email addresses. Furthermore, the hackers demanded a ransom of 3 million dollars from the firm for not disclosing the intercepted data.
The company immediately informed the UODO President about the incident and notified the people whose data was leaked about the risk. In response, the UODO President conducted thorough investigations and controls that led to the initiation of administrative proceedings against the company.
During the investigation, the UODO President found that the company did not implement all necessary data protection measures, and worse, was unable to determine the cause of the leak. It was also discovered that during the COVID-19 pandemic, the company did not adhere to its data security policy. For instance, COVID test results of clients were stored on network drives instead of a specialized system for processing medical data. Additionally, the cloud platform used by the company was too poorly secured, and the servers located at its headquarters had not had up-to-date technical support since January 2020, which created a security gap.
As a result of negligence in protection against phishing attacks, hackers managed to access the company’s IT system. Importantly, the company relied on an internal audit to extend the validity of ISO/IEC 27001:2013 certificate, but a lack of properly conducted risk analysis led to the non-implementation of appropriate organizational and technical measures to protect processed data.
The UODO President imposed a monetary penalty of PLN 1,440,549 on American Heart of Poland SA. They mandated the company in the administrative decision to improve its data processing methods, conduct a proper risk analysis, and implement appropriate technical and organizational measures to ensure data security. The company has 30 days to do this.
The decision by the UODO President underlines the necessity of a realistic assessment of threats related to personal data processing and proper risk level estimation. Risk analysis cannot merely be a formality, but it must be an effective tool to minimize threats. The case of American Heart of Poland SA serves as a warning to other entities that the lack of proper personal data protection can lead to severe legal and financial consequences.
Source: https://managerplus.pl/15-mln-zlotych-kary-dla-american-heart-of-poland-sa-za-powazne-naruszenia-ochrony-danych-osobowych-47280