Hospital: Insufficient technical and organisational measures to ensure information security

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack.

GDPR Articles: Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR
Industry: Health Care