News

🏥 🇩🇪 German Hospital: €20,000 Fine for a Data Breach 🏥 🇩🇪

DPA: Data Protection Authority of the state of Baden-Württemberg (Germany)
Violation: Article 32(1) of the GDPR – Security of Processing

📢 Context

In November 2018, the German social network Knuddels was fined €20,000 by the DPA.

The violation concerned Article 32(1) of the GDPR, relating to the security of personal data.

Although the fine was relatively low compared to other cases (e.g., the Barreiro hospital case in Portugal), the authority considered the following mitigating factors:

• The company’s transparency
• Its cooperation with the authorities
• The swift implementation of corrective measures after the breach

🔍 The Facts:

🔐 Unsecured password storage:

Knuddels was storing unencrypted (plain text) passwords.

🧑‍💻 July 2018 hack:

Approximately 2.7 million pieces of personal information were stolen and published online in September 2018.

Compromised data included:

• User passwords
• Usernames (pseudonyms)
• Email addresses
• Personal details like first names or places of residence

🛠️ Post-attack response:

• The company promptly informed both the Data Protection Authority and its users
• Users were urged to change their passwords, especially if they reused them on other platforms

⚖️ Consequences

• Administrative fine: €20,000
• Cooperation and transparency: These factors helped mitigate the penalty

✅ To avoid such penalties, companies must:

• Encrypt passwords and other sensitive data
• Implement robust security measures to prevent breaches
• Promptly inform authorities and affected users in the event of a breach
• Train staff on legal obligations related to data security