Do companies have a special obligation to protect extremely sensitive personal data like medical records? Legislatures around the world have often said yes, enacting stiff penalties for failure to take adequate precautions against cybercrime or noncompliance under statutes like HIPPA and the GDPR. So what happens when a company fails to meet its obligation? If recent penalties enacted are any indication, they could be looking at enormous fines that set a new GDPR penalty record.
Extra Sensitive Data Requires Extra Strong Protection
Protection of healthcare data is one of the most fundamental expectations that patients have from their care providers. Even before electronic recordkeeping, many countries had laws in place to require certain data handling procedures, regulate who could access those records, and punish medical providers that failed to protect the privacy of patient records. In the electronic recordkeeping era, those restrictions have grown even tighter, with strict rules regulating access and compliance for data handling and storage – with equally stiff consequences for failure to protect patient data. Even as threats including attacks by nation-state actors and ransomware became a menace for hospitals and clinics, regulators were quick to punish medical care providers who fell victim to cybercrime that allowed bad actors access to patient data.
Even a Small Medical Data Breach Costs a Fortune
That’s still the case, and as threats escalate so do penalties. After falling victim to a ransomware attack in 2016, Athens Orthopedic Clinic PA was fined $1.5 million to settle HIPPA violations after the data of more than 138,000 patients was exposed. It doesn’t even have to be criminal activity that sets a medical provider up for trouble. In July 2020, Lifespan Health System in Rhode Island was fined more than $1 million for a breach caused by an unsecured laptop.
GDPR penalties are a potential minefield for companies in any industry that fail to protect personal data, but healthcare providers and other organizations that handle medical data are held especially stringently to the required standards in an increasingly dangerous cybercrime landscape. No one wants to set a new GDPR penalty record as a healthcare provider considering some of the recent enormous penalties for violations. The Warsaw University of Life Sciences was fined €11,200 for a single lost notebook full of patient data from a study. The Municipality of Rælingen, Sweden was fined €46,660 for failure to secure children’s health data collected as part of a program.
Vastaamo Breach Ups the Ante
Now, a new patient data disaster is creating a buzz about potentially whopping GDPR fines. In an unusual data breach in Finland, Vastaamo, a chain of psychotherapy and mental health clinics, suffered a massive data breach last year. The breach affected sensitive information for more than 400,000 patients, including diagnosis and treatment data, care provider notes, and session records.
But that’s not the strange part. The chapter of this story that takes this breach from serious to ground-breaking happened last week when the cybercriminals responsible started trying to ransom the data. But not just from the business – they also asked for ransoms from the affected patients themselves. On October 21, 2020, the cybercriminals started releasing the stolen data after their demands were not met, sending shockwave s through the medical community.
So, what can we expect to be one outcome of this epic saga? Possibly a new GDPR penalty record for medical care providers? Failure to take proper precautions against ransomware and other types of cybercrime will hurt. Likely, the provider, which has changed hands since the initial data breach and is now a subsidiary of Intera Partners, will certainly be facing an enormous GDPR penalty in addition to penalties accrued at other regulatory levels. While the penalty won’t likely reach the levels achieved by Google or British Airways, it’s bound to be enormous to emphasize the seriousness of compliance with regulations and best practices when handling extremely sensitive consumer or patient data.