News

🔗 Cybersecurity ≠ Protection of rights & freedoms: the error that costs
Białystok paediatric hospital fined PLN 66,500 / ~€15,000 🇵🇱

UODO sanction : 30 June 2025
Decision : DKN.5131.48.2022

🔍 Background to the incident
- Ransomware attack: infrastructure completely blocked, possible access to approx. 2,000 HR files (confidentiality & availability affected); ‘patient’ data not compromised.

- Period: July 2020 → August 2022 (several service interruptions and incomplete restoration attempt).

📌 Why the RGPD was breached despite ‘cyber’ efforts
🔶 ‘Cybersecurity-oriented’ risk analysis.
-Threat tables (ransomware, DDoS, power loss.) ✅
- But no link with HR or patient processing 👎
- No scenario: ‘If HR file unavailable 72 h → payroll delay → employee financial impact’

🔶 ‘Schrödinger’ back-ups
- Daily back-ups ✔️ but stored on the same LAN ❌
- No trace of ‘full bare-metal restore test’ (art. 32 §1 c)

🔶 Efficiency tests absent
- No audit log, no quarterly review.
- Hospital relied on external provider's report without checking in-house

🔶 Blind trust in Polish KSC law.
- KSC (NIS equivalent) targets continuity; RGPD targets individuals.
- Result: superficial DPIA, incomplete register, uncorrelated measurements

🚩 Sanction:
💸 Fine: 66,500 PLN (~ €15,000)
🎯 Key message: the ‘cyber checklist’ is not enough if the ‘rights & freedoms’ impact is not at the heart of the analysis

🔴 Breaches

👉 Why this is a signal for ALL organisations
- Modest fine (€15k) but clear message: the UODO sanctions even without patient leakage, just for shaky DPIA.
- The authorities are converging: CNIL (France, IA sheet), AEPD (Spain), IMY (Sweden)... the same demands with regard to ‘rights and freedoms’.
- The European NIS 2 regulation (2024) calls for unified cyber + privacy governance → we need to align the two now.