Ransomware Attack Results in €460,000 GDPR Penalty for Centric Health
Centric Health Ltd, a provider of healthcare services to more than 400,000 patients in Ireland, has been fined 460,000 Euros by the Irish Data Protection Commission (DPC) for violations of the EU’s General Data Protection Regulation (GDPR).
The DPC investigated Centric Health after being notified that the healthcare provider had fallen victim to a Calum ransomware attack. The attack affected seven Centric Health clinics and eleven Primacare Health Professionals CLG general practitioner practices within those clinics. The attack was detected by Centric Health on December 3, 2019, and the investigation confirmed that the Calum ransomware group accessed systems that contained the personally identifiable health information of approximately 70,000 patients. Files were encrypted in the attack, most of which were recovered after the ransom was paid. Centric Health had performed daily backups and snapshots were taken each day, but they were encrypted/deleted in the attack. Centric Health attempted to recover deleted data from other backups, but some data were missing from its cloud storage. Centric Health said it permanently lost the data of approximately 2,500 patients. The DPC says patient data was exposed, including names, contact information, birth dates, Personal Public Service numbers, and clinical information. The latter is classed as special category data under the GDPR due to its sensitive nature.
The DPC explained that while notifications were sent to the 2,500 patients whose data was lost, notifications about the attack were not sent to the remaining patients whose sensitive data had been exposed. The seven affected clinics, which hosted all 11 practices, were using legacy Primacare systems that stored data locally, including backups. Those systems were in the process of being phased out at the time of the attack.
The attack resulted in the unauthorized processing of personal and special category data (by the ransomware actor), and a loss of availability of data. The DPC determined that there had been a failure to implement technical and organizational measures appropriate to the level of risk to special category data, and a failure to implement appropriate safeguards in an effective manner. The DPC also said there was a lack of documentation to demonstrate whether risks or vulnerabilities had previously been identified as well as a lack of documentation about a plan to mitigate those risks. These were infringements of Article 5(1)(f), 5(2) and 32(1) of the GDPR.
The severity of the infringements, especially Articles 5(1)(f) and 32(1) of the GDPR, warranted a financial penalty. The penalty for the infringement of Article 5(1)(f) was €275,000, the penalty for the infringement of Article 5(2) was €50,000, and the penalty for the infringement of Article 32(1) was €135,000 – €460,000 ($488,800 USD) in total.