Centro di Medicina preventiva s.r.l.

€10,000

Insufficient technical and organisational measures to ensure information security

Fecha de la decisión

16 de diciembre de 2021

Autoridad

Italian Data Protection Authority (Garante)

IT

Sector

Health Care

País

IT

Ley

GDPR

Estado

FINAL

Descripción

The Italian DPA (Garante) has fined Centro di Medicina preventiva s.r.l. EUR 10,000. The controller reported a database under Art. 33 GDPR in connection with a cyberattack by a hacker group. During the cyberattack, the hacker managed to gain access to a list of patient data. The hacker then published this list that contained personal data, including sensitive data, of patients and radio-diagnostic tests on Twitter. The DPA found that the controller had not implemented appropriate technical and organizational measures to ensure the security of the personal data. For example, the medical center's server disclosed the requested personal data during a query without verifying the identity and credentials of the requester, allowing unauthenticated connections to reach from outside the medical center.

Citas legales

Art. 5Art. 25Art. 32Art. 37

Problemas e infracciones

Insufficient technical and organisational measures to ensure information security
Ver documento oficial
Volver a la base de datos de multas
Multa anterior
Deputy Data Protection Ombudsman - Motor insurance...
Siguiente multa
Data Protection Authority of Hamburg (HmbBfDI) - C...

Manténgase al día sobre la aplicación de las normas de protección de la intimidad

Respetamos su intimidad. Un correo electrónico al mes, sin spam, darse de baja en cualquier momento.