Italy

Centro di Medicina preventiva s.r.l.

10,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2021-12-16.

Rank · Sector

#131

of 270 in Health Care

Rank · Italy

#262

of 543

Rank · All fines

#1,343

of 3,044

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2021-12-16
Controller / Processor: Centro di Medicina preventiva s.r.l.
Sector: Health Care
Quoted Articles: Art. 5 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 37 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Italian DPA (Garante) has fined Centro di Medicina preventiva s.r.l. EUR 10,000. The controller reported a database under Art. 33 GDPR in connection with a cyberattack by a hacker group. During the cyberattack, the hacker managed to gain access to a list of patient data. The hacker then published this list that contained personal data, including sensitive data, of patients and radio-diagnostic tests on Twitter. The DPA found that the controller had not implemented appropriate technical and organizational measures to ensure the security of the personal data.
For example, the medical center's server disclosed the requested personal data during a query without verifying the identity and credentials of the requester, allowing unauthenticated connections to reach from outside the medical center.

Open original source Links to the regulator's original publication or another source.