LAZIOcrea S.p.A. – €271,000 Fine (Italy, 2024)

On the night of 31 July 2021, a cyber-attack occurred in the healthcare system of the Lazio region, Italy. It had some serious repercussions causing local health authorities, hospitals and nursing homes ('the controllers') being unable to use regional information systems for hours and in some cases even for months. Essential services related to the emergency activities were not interrupted as they were separeted from other applications. The ransomware attack originated in March 2021 on a computer of a regional employee working remotely for one of the entities. The employee installed a malicious software necessary to connect to the processor’s network. The software created a backdoor to the system stealing the employee’s access credentials. LAZIOcrea S.p.a. was a company responsible for the management and security of the information systems of Lazio Region pursuant to Article 28 GDPR (‘processor’ or ‘company’). The attack targeted machines located in one of the rooms of the data center managed by the company. The company was therefore also acting as a controller for its own purposes, as the operating systems which were attacked also managed additional processing activities. The company did not notify the data breach immediately but with considerable delay and in any case beyond 72 hours as required by Article 33 GDPR. The data breach was notified to the affected controllers about two weeks after the incident, lacking specific references to the attacked processing systems which would have been beneficial for each controller to delineate the extent of the breach and evaluate associated risks. The notification of the data breach itself did not document necessary information about the attack such as, i.e. date and time of closure of the incident, date and time of resolution of the incident, person who detected the incident. Moreover, some of the information provided was inaccurate, i.e. description of the incident, the response actions carried out. Due to this, the It