ACCORDING to the Privacy Guarantor, the Order of Psychologists of the Lombardy Region was fined 30 thousand euros for not adopting adequate technical and organisational measures to guarantee data security.
The sanction followed complaints and a data breach notification after a sophisticated ransomware attack carried out by a group of cybercriminals, which involved unauthorized access to the Order’s computer network, the encryption and exfiltration of numerous documents containing personal data of members of the Register, patients including minors, and other involved persons.
The data affected included special categories such as information revealing racial or ethnic origin, religious beliefs, trade union membership, sexual life or orientation, health and criminal convictions. After the ransom was not paid, the attackers published the exfiltrated data on the dark web, but the availability and integrity of the data were not compromised and were recovered thanks to procedures and backup systems.
The Guarantor’s investigation found the Order had not promptly detected violations or guaranteed the security of its processing systems, with the sanction reflecting the seriousness and sensitivity of the data involved. The Order’s collaboration was recognised, and it said it had adopted additional security measures to prevent future attacks and improve protection of personal data.