Data breach incidents: new attack targets health sector
The digitalization of healthcare services is generally applauded, as it leads to increased efficiency, better quality of care, lower administrative costs, and patient empowerment. However, the digitalization of such services is not without risk from a data protection perspective, in particular given the ‘sensitive’ nature and strict legal protection of personal health information.
Belgian doctors and hospitals have recently learned the hard way that they are indeed a hacker target.
There are, of course, significant benefits to the digitalization of healthcare services: increased efficiency, better quality of care, lower costs, patients’ empowerment, and tailor-made follow-up are only a few examples.
However, when digitalizing healthcare services, one must remain aware of the risk this entails from a data protection perspective. Personal health information is often very sensitive and is therefore also protected by a very strict legal regime. This type of information includes patient records held by a doctor or hospital, but also certain information included employee records (e.g. relating to sick leave).
Some 500.000 Belgian doctors and hospitals recently learned the hard way that their patient data was seemingly inadequately protected against hacking attacks.
An unknown hacker managed to steal certain patient data via the Flemish website “Digitale Wachtkamer”, a website / online tool allowing patients to set up appointments with their doctor.
The hacker was able to access the email addresses, phone numbers as well as the passwords of the patients. Moreover, and perhaps even more disturbing, the hacker also managed to retrieve the personal messages sent by the patients via the website, accompanying their request for an appointment. In some cases, this meant that the medical reason(s) for the appointment were accessed and stolen. This type of personal ‘health’ data is in fact a special category of data that is considered particularly ‘sensitive’ by nature and should benefit from additional protection against unlawful access and disclosure.
42 bitcoins for silence
In an e-mail sent to the manager of the web application, the hacker threatened to make the stolen data public if he/she did not receive 42 bitcoins (equivalent to more or less EUR 85.000).
Faced with this blackmailing attempt, the company responsible for the “Digitale Wachtkamer” decided to lodge a complaint with the computer crime specialists of the Belgian police.
A new data breach calling once more for vigilance when it comes to data security
After WannaCry and Petya, this data breach is yet another example evidencing the importance of ensuring an appropriate level of data security, taking into account the nature of the data, the scope of the processing, the identified risks, etc.
With the entering into force of the new EU General Data Protection Regulation (GDPR) on 25 May 2018, it is crucial for companies in various sectors to implement strict data security policies, measures for the (quick) notification of data breaches, as well as pseudonymisation/anonymization tools, in order to prevent and react appropriately to data breach events.
In addition, also the mandatory implementation of the “Network Information Security Directive” (NIS-Directive) by EU Member States by 9 May 2018 will have an important impact on the data security practices of undertakings in a number of specific sectors (energy, transport, banking, financial market infrastructures, health and drinking water supply and distribution, digital infrastructure, and digital service providers such as search engines, online marketplaces and cloud computing service providers).
To ensure a high common level of network and information security in these specific sectors, the NIS-Directive lays down a number of measures to be taken to prevent, handle and respond to risks and incidents affecting networks and information systems.
The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks.
For more information (e.g. on how and when to notify data breaches, on the implementation of adequate internal policies and procedures, or on the filing of criminal complaints against hackers), contact the authors of this newsflash or your usual contact person within Loyens & Loeff.
Florence D'AthAssociate Attorney at Law
Florence D'Ath, associate, is a member of the Litigation & Risk Management Practice Group in our Luxembourg office and of the Benelux Data Protection Team. She specialises in general commercial law, intellectual property, regulatory and ICT law, with a strong focus on data protection.T: +352 691 963 125 E: email@example.com
Stéphanie De SmedtSenior associate Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: firstname.lastname@example.org