LAZIOcrea S.p.A. – €271,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
LAZIOcrea S.p.A. was fined €271,000 after a cyber-attack disrupted healthcare services in the Lazio region of Italy. This incident is significant because it shows the serious consequences of failing to protect sensitive data and the importance of timely breach notifications.
What happened
A ransomware attack on the healthcare system caused major disruptions and the company failed to notify the data breach within the required timeframe.
Who was affected
Local health authorities, hospitals, and nursing homes in the Lazio region that relied on the affected information systems.
What the authority found
The Italian Data Protection Authority ruled that LAZIOcrea did not comply with data protection rules by delaying the notification of the data breach beyond the required 72 hours.
Why this matters
This ruling highlights the need for companies to have strong cybersecurity measures and to act quickly when breaches occur. It serves as a warning to all businesses about the importance of protecting personal data and complying with notification requirements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On the night of 31 July 2021, a cyber-attack occurred in the healthcare system of the Lazio region, Italy. It had some serious repercussions causing local health authorities, hospitals and nursing homes ('the controllers') being unable to use regional information systems for hours and in some cases even for months. Essential services related to the emergency activities were not interrupted as they were separeted from other applications. The ransomware attack originated in March 2021 on a computer of a regional employee working remotely for one of the entities. The employee installed a malicious software necessary to connect to the processor’s network. The software created a backdoor to the system stealing the employee’s access credentials. LAZIOcrea S.p.a. was a company responsible for the management and security of the information systems of Lazio Region pursuant to Article 28 GDPR (‘processor’ or ‘company’). The attack targeted machines located in one of the rooms of the data center managed by the company. The company was therefore also acting as a controller for its own purposes, as the operating systems which were attacked also managed additional processing activities. The company did not notify the data breach immediately but with considerable delay and in any case beyond 72 hours as required by Article 33 GDPR. The data breach was notified to the affected controllers about two weeks after the incident, lacking specific references to the attacked processing systems which would have been beneficial for each controller to delineate the extent of the breach and evaluate associated risks. The notification of the data breach itself did not document necessary information about the attack such as, i.e. date and time of closure of the incident, date and time of resolution of the incident, person who detected the incident. Moreover, some of the information provided was inaccurate, i.e. description of the incident, the response actions carried out. Due to this, the It
Related Enforcement Actions (0)
No other enforcement actions found for LAZIOcrea S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
21 March 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€271,000
GDPRhub ID
gdprhub-7862About this data
Cite as: Cookie Fines. LAZIOcrea S.p.A. - Italy (2024). Retrieved from cookiefines.eu
Last updated: