You are here:
24 July 2017 / article

Data breach incidents: new attack targets health sector

The digitalization of healthcare services is generally applauded, as it leads to increased efficiency, better quality of care, lower administrative costs, and patient empowerment. However, the digitalization of such services is not without risk from a data protection perspective, in particular given the ‘sensitive’ nature and strict legal protection of personal health information.

2017 is the year of data breach incidents new attack targets health sector

Belgian doctors and hospitals have recently learned the hard way that they are indeed a hacker target.

There are, of course, significant benefits to the digitalization of healthcare services: increased efficiency, better quality of care, lower costs, patients’ empowerment, and tailor-made follow-up are only a few examples.

However, when digitalizing healthcare services, one must remain aware of the risk this entails from a data protection perspective. Personal health information is often very sensitive and is therefore also protected by a very strict legal regime. This type of information includes patient records held by a doctor or hospital, but also certain information included employee records (e.g. relating to sick leave).

What happened?

Some 500.000 Belgian doctors and hospitals recently learned the hard way that their patient data was seemingly inadequately protected against hacking attacks.

An unknown hacker managed to steal certain patient data via the Flemish website “Digitale Wachtkamer”, a website / online tool allowing patients to set up appointments with their doctor.

The hacker was able to access the email addresses, phone numbers as well as the passwords of the patients. Moreover, and perhaps even more disturbing, the hacker also managed to retrieve the personal messages sent by the patients via the website, accompanying their request for an appointment. In some cases, this meant that the medical reason(s) for the appointment were accessed and stolen. This type of personal ‘health’ data is in fact a special category of data that is considered particularly ‘sensitive’ by nature and should benefit from additional protection against unlawful access and disclosure.

42 bitcoins for silence

In an e-mail sent to the manager of the web application, the hacker threatened to make the stolen data public if he/she did not receive 42 bitcoins (equivalent to more or less EUR 85.000).

Faced with this blackmailing attempt, the company responsible for the “Digitale Wachtkamer” decided to lodge a complaint with the computer crime specialists of the Belgian police.

A new data breach calling once more for vigilance when it comes to data security

After WannaCry and Petya, this data breach is yet another example evidencing the importance of ensuring an appropriate level of data security, taking into account the nature of the data, the scope of the processing, the identified risks, etc.

With the entering into force of the new EU General Data Protection Regulation (GDPR) on 25 May 2018, it is crucial for companies in various sectors to implement strict data security policies, measures for the (quick) notification of data breaches, as well as pseudonymisation/anonymization tools, in order to prevent and react appropriately to data breach events.

In addition, also the mandatory implementation of the “Network Information Security Directive” (NIS-Directive) by EU Member States by 9 May 2018 will have an important impact on the data security practices of undertakings in a number of specific sectors (energy, transport, banking, financial market infrastructures, health and drinking water supply and distribution, digital infrastructure, and digital service providers such as search engines, online marketplaces and cloud computing service providers).

To ensure a high common level of network and information security in these specific sectors, the NIS-Directive lays down a number of measures to be taken to prevent, handle and respond to risks and incidents affecting networks and information systems.

The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks.


For more information (e.g. on how and when to notify data breaches, on the implementation of adequate internal policies and procedures, or on the filing of criminal complaints against hackers), contact the authors of this newsflash or your usual contact person within Loyens & Loeff.

Belgian competition authority conducts dawn raids at hospitals and pharma companies

Belgian competition authority conducts dawn raids at hospitals and pharma companies

The Belgian competition authority highlights its particular cartel enforcement focus on the pharmaceutical and healthcare sector by conducting dawnraids at... read more
Belgian competition authority fines the professional association of Belgian pharmacists

Belgian competition authority fines the professional association of Belgian pharmacists (again)

The Belgian competition authority imposes cartel fines on the professional association of Belgian pharmacists for a second time in 6 months for anticompetitive... read more
More clarity on the exemption of wage withholding tax for construction industry

More clarity on the exemption of wage withholding tax for construction industry

Since 1 January 2018 construction companies, that employ shift workers, can benefit from a substantial cut in payroll taxes. Recent legislation clarifies this... read more