On October 23, 2023, the Italian data protection authority (Garante) announced in its newsletter its decision No. 426, as issued on September 28, 2023, in which it imposed a fine of €30,000 on the Local Health Authority Napoli 3 Sud, for violations of the General Data Protection Regulation (GDPR), following the submission of a data breach notification by the Local Health Authority.

Background to the decision

The Garante noted that the Local Health Authority had notified the Garante about a ransomware attack that had limited access to the Local Health Authority database and requested a ransom for restoring the functioning of the systems. Upon receipt of the notification, the Garante noted that it had immediately opened an investigation into the incident to verify the technical and organizational measures adopted by the Local Health Authority, both before and after the ransomware attack.

Findings of the Garante

At the end of its investigation, the Garante determined that the Local Health Authority had violated Articles 5(1)(f), 25, and 32 of the GDPR.

Notably, the Garante found that the Local Health Authority had failed to adequately protect the personal data and health data of 842,000 patients and employees from external hacking attacks. Specifically, the Garante held that the Local Health Authority had failed to adopt adequate measures to promptly detect the threat to personal data and to guarantee the security of its networks, thereby also violating the principle of Privacy by Design.

Outcomes

In conclusion, the Garante imposed a fine of €30,000 on the Local Health Authority, which may be appealed before the judicial authority.

You can read the newsletter here and the decision here, both only available in Italian.