Croatia

Hospital

20,000 €

GDPR enforcement action by Croatian Data Protection Authority (azop) on 2025-03-24.

Rank · Sector

#101

of 270 in Health Care

Rank · Croatia

#24

of 43

Rank · All fines

#1,092

of 3,042

Case details

Authority: Croatian Data Protection Authority (azop)
Date: 2025-03-24
Controller / Processor: Hospital
Sector: Health Care
Quoted Articles: Art. 32 (1) b), d) GDPR, Art. 32 (2) GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Croatian DPA (AZOP) imposed a fine of EUR 20,000 on a hospital for failing to implement adequate technical and organizational measures to protect personal data in line with Art. 32 (1) (b) and (d), and Art. 32 (2) GDPR. Following a cyberattack, it was revealed that over a period of seven days, at least 3 GB of personal data had been unlawfully copied from the system. The attacker allegedly gained access through social engineering and a VPN connection, exploited an outdated operating system, and obtained domain administrator rights. In addition to the data breach, numerous servers were locked, backups were deleted, and unauthorized executable files were launched. AZOP found that key security measures such as access restrictions, monitoring, incident response, and corrective actions were either missing or insufficient, which significantly contributed to the success of the attack.

Open original source Links to the regulator's original publication or another source.