Virtue Integrated Elder Care Ltd – €100,000 Fine (Ireland, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Virtue Integrated Elder Care Ltd was fined €100,000 in Ireland after a phishing attack exposed personal data due to inadequate security measures. This incident stresses the importance of strong cybersecurity practices to protect sensitive information. Companies must regularly update and test their security systems.
What happened
Virtue Integrated Elder Care Ltd experienced a data breach after a phishing attack compromised an email account.
Who was affected
Individuals whose personal data was exposed due to the phishing attack on Virtue Integrated Elder Care Ltd's systems.
What the authority found
The Irish data protection authority determined that Virtue Integrated Elder Care Ltd failed to implement adequate security measures, violating GDPR's requirements for data protection.
Why this matters
This case underscores the critical need for robust cybersecurity measures and regular security testing to prevent data breaches. It serves as a warning for businesses to ensure their data protection practices meet legal standards to avoid costly penalties.
GDPR Articles Cited
Virtue Integrated Elder Care Ltd ("VIEC"), the controller, operates and manages five nursing homes in Dublin, Ireland. On 15 August 2020, VIEC became aware through a report to their IT helpdesk that one of the users of their internal systems was being blocked from sending emails. The controller subsequently discovered that the email address of one of its managers had been subject to a phishing attack, and that emails had been rerouted to a third party Gmail account. On 19 August 2019, VIEC notified the Irish DPA (the DPC) of a personal data breach. Based on initial analysis of the breach notification and subsequent documentation provided during the breach handling process, the DPC considered that the matter concerned a possible “breach of security potentially leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” by VIEC. As a result, the DPC commenced an investigation. In a commencement letter, the DPC informed VIEC that their inquiry would examine whether or not the company discharged its obligations in connection with the subject matter of the personal data breach and determine whether or not any provision(s) of data protection law had been violated by VIEC in that context. The scope of the inquiry was stated to include the following. Firstly, the steps taken by VIEC to comply with the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR. Secondly, the technical and organisational measures taken to ensure security of processing pursuant to Article 32(1) GDPR. Thirdly, the ability of the controller to demonstrate ongoing confidentiality, integrity, availability of personal data pursuant to Article 32(1)(b) GDPR. Fourth, the process employed by VIEC for regularly testing the effectiveness of measures for ensuring appropriate security pursuant to Article 32(1)(d) GDPR. Fifth, and finally, the ability of VIEC to demonstrate that
Related Enforcement Actions (0)
No other enforcement actions found for Virtue Integrated Elder Care Ltd in IE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
20 December 2022
Authority
Data Protection Commission
Fine Amount
€100,000
GDPRhub ID
gdprhub-5689About this data
Cite as: Cookie Fines. Virtue Integrated Elder Care Ltd - Ireland (2022). Retrieved from cookiefines.eu
Last updated: