American Heart of Poland S.A. – €331,326 Fine (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A hackers group attacked one of Polish companies of medical sector - American Heart of Poland SA. The hackers got access to company’s network drives and installed a ransomware software. Following categories of personal data of approximately 21,000 company’s employees and patients was affected: * Name, surname, name of parents, date of birthday, e-mail address, phone number. * Address data. * PESEL number, ID number. * Bank account number, financial data. * Data concerning health. * Credentials of company’s user account. The hackers demanded ransom of USD 3,000,000. To make the company paid the ransom, the hackers shared a sample of obtained data on a Darknet website. Due to the lost of data availability and confidentiality of the data, the company acting as a data controller, notified the Polish DPA (UODO) about the breach, under Article 33 GDPR. In response, the DPA initiated the investigation. Initially, the controller didn’t find the source of data breach. However, after in-depth analysis of third-party specialist, it turned out that lack of company’s software update led to the breach – there was an exploit within the software, making it possible to gain exterbal control over one of the devices connected to the software. Company’s IT department, responsible for the update failed to do so. Also, the ISO audit of the controller didn't mention the exploit. Moreover, inadequate passwords quality and a phishing attack were indicated as a potential source of the breach. Additionally, during the investigation, the DPA found the controller stored the data affected by the breach contrary to their own policy – data relating to health had to be stored on a specific drives, not network ones. The data controller was actively involved in handling the data breach, inter alia by facilitating contact with data subjects (by a dedicated call centre). The outcome of investigation and identified shortcomings caused the DPA open an ex-officio proceedings against the controller. T
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A hackers group attacked one of Polish companies of medical sector - American Heart of Poland SA. The hackers got access to company’s network drives and installed a ransomware software. Following categories of personal data of approximately 21,000 company’s employees and patients was affected: * Name, surname, name of parents, date of birthday, e-mail address, phone number. * Address data. * PESEL number, ID number. * Bank account number, financial data. * Data concerning health. * Credentials of company’s user account. The hackers demanded ransom of USD 3,000,000. To make the company paid the ransom, the hackers shared a sample of obtained data on a Darknet website. Due to the lost of data availability and confidentiality of the data, the company acting as a data controller, notified the Polish DPA (UODO) about the breach, under Article 33 GDPR. In response, the DPA initiated the investigation. Initially, the controller didn’t find the source of data breach. However, after in-depth analysis of third-party specialist, it turned out that lack of company’s software update led to the breach – there was an exploit within the software, making it possible to gain exterbal control over one of the devices connected to the software. Company’s IT department, responsible for the update failed to do so. Also, the ISO audit of the controller didn't mention the exploit. Moreover, inadequate passwords quality and a phishing attack were indicated as a potential source of the breach. Additionally, during the investigation, the DPA found the controller stored the data affected by the breach contrary to their own policy – data relating to health had to be stored on a specific drives, not network ones. The data controller was actively involved in handling the data breach, inter alia by facilitating contact with data subjects (by a dedicated call centre). The outcome of investigation and identified shortcomings caused the DPA open an ex-officio proceedings against the controller. T
Related Enforcement Actions (0)
No other enforcement actions found for American Heart of Poland S.A. in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
20 May 2024
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€331,326
1,440,549 PLN
GDPRhub ID
gdprhub-8234About this data
Cite as: Cookie Fines. American Heart of Poland S.A. - Poland (2024). Retrieved from cookiefines.eu
Last updated: