Azienda ULSS 6 Euganea – €22,000 Fine (Italy, 2024)

The controller, a health authority managing several hospitals and other health facilities, experienced a cyberattack. This led to the unauthorised access to files stored in the controller's servers. These files contained personal data of both employees and patients, including medical documents and images. The controller notified the data breach to the DPA in accordance with Article 33 GDPR and to data subjects according to Article 34 GDPR. Moreover, several data subjects filed a complaint with the DPA. The controller argued that it was in the process of updating its IT system and improving its security measures. First, the DPA considered that the data breach notification to itself and data subjects was made without an undue delay and, therefore, did not find a violation of Article 33 and 34 GDPR. However, the DPA noted that the controller did not implement appropriate measures to ensure that it could timely learn about unauthorised accesses to the IT system. Therefore, it found a violation of Article 5(1)(f) GDPR in combination with Article 32(1) GDPR. Secondly, the DPA held that the technical and organisational measures implemented by the controller to avoid cyberattacks were not adequate. For example, two-factor authentication was not implemented. Therefore, the DPA found a violation of Article 5(1)(f) GDPR in combination with Article 32(1) GDPR. On these grounds, the DPA fined the controller €22,000.