Engineering Ingegneria Informatica S.p.a. – €10,000 Fine (Italy, 2024)

The Region of Molise (the data controller) used an information system to handle electronic health records and make them available to citizens. This processing of personal data involved several processors and subprocessors, including telecom TIM S.p.a. and TIM’s sub-processor Engineering Ingegneria Informatica S.p.a. (the sub-processor). A user logged into the records system with his patient-level account. He was then able to access files of other users by changing the url address of the page. He accessed personal data such as personal details and addresses, including sensitive data such as medical records. The user informed the controller of the vulnerability. The vulnerability was immediately addressed by limiting access privileges for patient-level accounts. At the request of the controller, the processor assessed the software for similar vulnerabilities. The controller notified the Italian authority of the data breach. Based on system logs, the controller claimed that the data of seven people were accessed without authorization. The sub-processor pointed out that its subcontracting agreement with TIM S.p.a. did not cover vulnerability assessments. On this basis, the sub-processor argued that it was under no obligation to assess the security of its software. The authority held that the sub-processor violated Article 32 GDPR by failing to implement appropriate security measures. Therefore, the authority fined the controller €10,000. The authority rejected the subprocessor’s argument that it was under no obligation to assess security. The authority observed that the data processing agreement did provide for the obligation to ensure software security, regardless of the subcontracting agreement. The authority also clarified that ensuring the security of software is due diligence for a software developer.