Hospital – €20,000 Fine (Croatia, 2025)

€20,000Agencija za zaštitu osobnih podataka24 March 2025Croatia
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A hospital in Croatia was fined €20,000 for not protecting patient data properly after a cyberattack. Hackers accessed sensitive information due to weak security measures, which could put patients at risk. The hospital failed to implement necessary protections, leading to a significant data breach.

What happened

The hospital failed to secure its systems, resulting in a cyberattack that compromised over 3 GB of personal data.

Who was affected

Patients whose personal data was unlawfully copied during the cyberattack.

What the authority found

The Croatian data protection authority found that the hospital did not have adequate security measures in place, violating GDPR requirements.

Why this matters

This ruling serves as a warning to healthcare providers about the need for strong data protection practices. Hospitals must prioritize cybersecurity to safeguard patient information.

GDPR Articles Cited

AI-verified

Art. 32(1)(b) GDPR
Art. 32(2) GDPR
View original scraped data
Art. 32(1) b) GDPR
d) GDPR
Art. 32(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 13 March 2026
articles corrected
amount discrepancy
Croatia enforcementAgencija za zaštitu osobnih podataka actionsAll Hospital actions
Full Legal Summary
Detailed

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack.

Related Enforcement Actions (3)

Other enforcement actions involving Hospital in HR

Fine
Sept 2024· Agencija za zaštitu osobnih podataka

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files wer...

€190K
Fine
Mar 2025· Agencija za zaštitu osobnih podataka

The Croation DPA (AZOP) has imposed a fine of EUR 3,000 on a hospital. Despite the extensive and high-risk processing of health data, the hospital had...

€3K
Fine
Mar 2025· Agencija za zaštitu osobnih podataka

The Croation DPA (AZOP) has imposed a fine of EUR 4,000 on a hospital. The AZOP found that the hospital used a company which automatically retrieved p...

€4K
Current
Mar 2025

Fine

€20K

Details

Fine Date

24 March 2025

Authority

Agencija za zaštitu osobnih podataka

Fine Amount

€20,000

Enforcement Tracker ID

ETid-2605

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hospital - Croatia (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: