The Privacy Guarantor has issued three significant sanctions, of 271 thousand, 120 thousand and 10 thousand euros respectively, against LAZIOcrea (the company that manages regional information systems), the Lazio Region and the ASL Roma 3. These sanctions follow the cyber attack on the IT systems of the Lazio Region which occurred between 31 July and 1 August 2021, which caused a data breach in the regional healthcare system.
The attack, perpetrated through ransomware introduced into the system via a regional employee’s laptop, resulted in the blocking of numerous healthcare services, including bookings, payments, collection of reports and registration of vaccinations. This has prevented local health authorities, hospitals and nursing homes from using regional information systems to process the health data of millions of patients for a period ranging from a few hours to several months.
From the Guarantor’s investigations it emerged that LAZIOcrea and the Lazio Region have committed numerous and serious violations of the privacy legislation, mainly due to the use of outdated systems and the lack of adequate security measures to promptly detect personal data breaches and protect computer networks.
During the cyber attack, inadequate system security prevented regional healthcare facilities from accessing the system and providing services to patients. Approximately 180 virtual servers were made inaccessible and LAZIOcrea shut down all systems without being able to identify the compromised ones or avoid the propagation of the malware. Furthermore, LAZIOcrea did not adequately manage the data breach and its consequences, especially for the numerous healthcare facilities involved.
The Lazio Region, as data controller, it should have exercised more effective supervision over LAZIOcrea, ensuring an adequate level of security and data protection right from the design stage.
The Guarantor’s sanctions were determined considering the seriousness of the violations and the degree of responsibility of the subjects involved. In particular, ASL Roma 3 received a fine of 10 thousand euros for failing to notify the data breach to the interested parties.
write a comment
