American Heart of Poland S.A. – €331,326 Fine (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
American Heart of Poland S.A. was fined EUR 331,326 after hackers accessed their systems and stole personal data from about 21,000 people. The investigation showed that the company failed to update their software and had weak security practices. This case serves as a reminder for healthcare providers to strengthen their data protection measures.
What happened
The Polish DPA fined American Heart of Poland S.A. for inadequate security that allowed hackers to access sensitive personal data.
Who was affected
Approximately 21,000 employees and patients of American Heart of Poland S.A. whose personal information was compromised in the attack.
What the authority found
The DPA determined that the company did not implement necessary security updates and failed to follow their own data storage policies, violating GDPR standards.
Why this matters
This case highlights the critical need for regular software updates and strong security protocols, especially in the healthcare sector, to prevent data breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A hackers group attacked one of Polish companies of medical sector - American Heart of Poland SA. The hackers got access to company’s network drives and installed a ransomware software. Following categories of personal data of approximately 21,000 company’s employees and patients was affected: * Name, surname, name of parents, date of birthday, e-mail address, phone number. * Address data. * PESEL number, ID number. * Bank account number, financial data. * Data concerning health. * Credentials of company’s user account. The hackers demanded ransom of USD 3,000,000. To make the company paid the ransom, the hackers shared a sample of obtained data on a Darknet website. Due to the lost of data availability and confidentiality of the data, the company acting as a data controller, notified the Polish DPA (UODO) about the breach, under Article 33 GDPR. In response, the DPA initiated the investigation. Initially, the controller didn’t find the source of data breach. However, after in-depth analysis of third-party specialist, it turned out that lack of company’s software update led to the breach – there was an exploit within the software, making it possible to gain exterbal control over one of the devices connected to the software. Company’s IT department, responsible for the update failed to do so. Also, the ISO audit of the controller didn't mention the exploit. Moreover, inadequate passwords quality and a phishing attack were indicated as a potential source of the breach. Additionally, during the investigation, the DPA found the controller stored the data affected by the breach contrary to their own policy – data relating to health had to be stored on a specific drives, not network ones. The data controller was actively involved in handling the data breach, inter alia by facilitating contact with data subjects (by a dedicated call centre). The outcome of investigation and identified shortcomings caused the DPA open an ex-officio proceedings against the controller. T
Related Enforcement Actions (0)
No other enforcement actions found for American Heart of Poland S.A. in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
20 May 2024
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€331,326
1,440,549 PLN
About this data
Cite as: Cookie Fines. American Heart of Poland S.A. - Poland (2024). Retrieved from cookiefines.eu
Last updated: