The President of the Polish Data Protection Authority (UODO) has imposed a fine of PLN 40,000 on the Independent Public Healthcare Center (SPZOZ) in Pajęczno for inadequate data protection measures. In February 2022, the center suffered a ransomware attack, which resulted in the encryption of the personal data of 30,000 patients and over 1,000 employees.
SPZOZ reported the incident to UODO and the Police but initially downplayed its severity, believing that the data had not leaked and was merely inaccessible. However, UODO’s investigation found that the healthcare center lacked proper procedures and a risk analysis, which prevented effective data protection.
The fine was imposed due to inadequate pre-incident actions and errors made after the incident, such as failing to notify affected individuals about the loss of access to their data. SPZOZ has been given 30 days to implement improved security measures and to inform the affected individuals about the incident.