The personal data protection office has received a report about a personal data protection breach from Telemedicine sp. Z oom, the owner of the platform of telemedicine, and advisor with many doctors. The case is under investigation.
The administration has received information from a stranger about a security error in one of the subsystems responsible for the voice call. Caused by a system breach, an authorized person could, for a short period of time, have received an unauthorized access to the user’s phone number and, if the advisoring included also an audio registration, the possibility to download it.
Immediately after having received this information, the company has removed the error by blocking the system, without any other negative consequences of the client’s service. In addition, the administrator has protected data from the unauthorized access.
The accident can lead to a lack of confidentiality of personal data of patinces, which is protected by professional secrecy.
Reported of a data breach.
The aim of the reporting of breaches is, among other things, assess by the supervisory authority if the data controller has correctly fulfilled, for example, to the obligation to inform the data subjects about the breach, provided that there is a situation in which he must do it.
In case of data breaches, the personal data protection office cooperates with the administrators, offers advices or checks out the content of the report of data breach of the data subjects. The activity of the supervisory authority is aimed to guarantee that the data controller processes personal data in a licit way.
What can I do when the breach regards my personal data?
First of all, pay attention when you insert your data on the net. Analyze received messages from the administrator, for example SMS, into email, in order to avoid, for example a phishing attack, whose aim could be obtain more additional data.
Hacking attacks, i.e. breach of security of IT systems where personal data are processed or use of existing vulnerabilities (gaps) in these systems: these are situations where unauthorised persons obtain (or have the opportunity to obtain) personal data. If the controller decides that there is a risk of unauthorised use of personal data, which may lead to a threat to the rights or freedoms of individuals (e.g. so-called identity theft), he or she must inform the data subject of the incident.
Persons who suspect that they have been victims of identity theft should first report to the Police. He is not a law enforcement authority and does not have the authority to conduct proceedings to detect the perpetrator of a crime and assess whether it has been committed, to qualify a criminal act and to impose an appropriate penalty.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA POLONIA – UODO