News

🚨 Poland: American Heart of Poland SA Penalized for Serious Data Security Breaches 🚨

The company American Heart of Poland SA suffered a cyberattack resulting in a personal data breach affecting 21,000 individuals. The company poorly assessed the risks associated with data security and failed to comply with its own security policies during the pandemic.

Details:

Identified Violations:

1. Violation of Article 5(1)(f) of the GDPR: Data Security
   Unauthorized individuals gained access to a wide range of personal data, including:

• Identity Information: Names, first names, parents' names, mother's maiden name, date of birth.
• Financial Data: Income, assets, bank account numbers.
• Sensitive Data: COVID test results, other medical data.
• Other Information: Personal identification numbers (PESEL), usernames and passwords, ID card series and numbers, phone numbers, email addresses, and physical addresses.

Article 5(1)(f) requires personal data to be processed in a manner ensuring its security, protecting it from unauthorized or unlawful processing, as well as from accidental loss or destruction.

2. Violation of Articles 32 d and 24 of the GDPR: Security and Accountability

• Article 32 d: The data controller failed to implement procedures to regularly test, assess, and evaluate the effectiveness of security measures.
• Article 24: The company did not demonstrate that it had implemented the necessary technical and organizational measures to protect data processing.

Findings:

• The Data Protection Impact Assessment (DPIA) was improperly conducted.
• COVID test results were stored on the company’s general network instead of a dedicated and secure system for health data.
• The cloud platform used by the company was insecure.
• Servers and software were not updated, leaving vulnerabilities that hackers exploited.

The Data Protection Authority emphasized that risk assessments must address actual threats and cannot merely serve as a formal compliance exercise.

Consequences:

• Administrative Fine: €330,000.
• Reputational Damage: Public trust in the company has been significantly eroded.
• Compliance Enforcement: The company must now strengthen its security measures and comply with GDPR regulations.
  
  

🔧 Best Practices for GDPR Compliance

To avoid similar penalties, organizations should:

• Implement Regular Updates for Software and Servers: Address vulnerabilities by applying security patches as soon as they are available.
• Secure Sensitive Data: Store health and sensitive data on dedicated, highly secure systems.
• Conduct Comprehensive Risk Assessments: Identify real threats and apply appropriate security measures.
• Test Security Measures Effectively: Regularly evaluate the effectiveness of implemented measures to detect and address weaknesses.
• Train Employees: Ensure staff are educated on cybersecurity best practices and GDPR compliance obligations.