Centro di Medicina preventiva s.r.l.

€10,000

Insufficient technical and organisational measures to ensure information security

Decision Date

December 16, 2021

Authority

Italian Data Protection Authority (Garante)

IT

Sector

Health Care

Country

IT

Law

GDPR

Status

FINAL

Description

The Italian DPA (Garante) has fined Centro di Medicina preventiva s.r.l. EUR 10,000. The controller reported a database under Art. 33 GDPR in connection with a cyberattack by a hacker group. During the cyberattack, the hacker managed to gain access to a list of patient data. The hacker then published this list that contained personal data, including sensitive data, of patients and radio-diagnostic tests on Twitter. The DPA found that the controller had not implemented appropriate technical and organizational measures to ensure the security of the personal data. For example, the medical center's server disclosed the requested personal data during a query without verifying the identity and credentials of the requester, allowing unauthenticated connections to reach from outside the medical center.

Legal Citations

Art. 5Art. 25Art. 32Art. 37

Issues & Violations

Insufficient technical and organisational measures to ensure information security
View Official Document
Back to Fines Database
Previous Fine
Deputy Data Protection Ombudsman - Motor insurance...
Next Fine
Data Protection Authority of Hamburg (HmbBfDI) - C...

Stay Updated on Privacy Enforcement

We respect your privacy. One email per month, no spam, unsubscribe anytime.