Obsolete software and inadequate alerts favored the hacker attack

With a fine of 25 thousand euros, the Privacy Guarantor has closed the proceedings  opened against a University Hospital that had suffered a hacker attack on its information systems in December 2022. The data breach – caused by ransomware malware introduced into the systems through access to a company PC with an open VPN – had led to the loss of confidentiality, integrity and availability of the personal data of a large number of interested parties. These included employees, consultants and patients. However, the breach had not led to the blocking of health services.

The Authority was activated following a notification from the Company. The documentation transmitted by the inspection carried out by the Guarantor revealed some shortcomings relating to the security obligations set out in the European Regulation, due to the adoption of non-updated systems and inadequate measures to promptly detect data breaches and to guarantee the security of computer networks. In particular, the use of obsolete software, for which security updates and alerts not covering 24 hours a day were no longer provided, favored the occurrence of the hacker attack.

During the investigation, the Guarantor also found further omissions regarding security measures, including the lack of a multi-factor computer authentication procedure for remote access to the VPN, which instead occurred only through the use of username and password; and the absence of a system to segment and segregate the networks of employee workstations, as well as the servers for processing, to avoid the propagation of viruses.

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10086101