24 July 2017 / article

Data breach incidents: new attack targets health sector

The digitalization of healthcare services is generally applauded, as it leads to increased efficiency, better quality of care, lower administrative costs, and patient empowerment. However, the digitalization of such services is not without risk from a data protection perspective, in particular given the ‘sensitive’ nature and strict legal protection of personal health information.

Belgian doctors and hospitals have recently learned the hard way that they are indeed a hacker target.

There are, of course, significant benefits to the digitalization of healthcare services: increased efficiency, better quality of care, lower costs, patients’ empowerment, and tailor-made follow-up are only a few examples.

However, when digitalizing healthcare services, one must remain aware of the risk this entails from a data protection perspective. Personal health information is often very sensitive and is therefore also protected by a very strict legal regime. This type of information includes patient records held by a doctor or hospital, but also certain information included employee records (e.g. relating to sick leave).

What happened?

Some 500.000 Belgian doctors and hospitals recently learned the hard way that their patient data was seemingly inadequately protected against hacking attacks.

An unknown hacker managed to steal certain patient data via the Flemish website “Digitale Wachtkamer”, a website / online tool allowing patients to set up appointments with their doctor.

The hacker was able to access the email addresses, phone numbers as well as the passwords of the patients. Moreover, and perhaps even more disturbing, the hacker also managed to retrieve the personal messages sent by the patients via the website, accompanying their request for an appointment. In some cases, this meant that the medical reason(s) for the appointment were accessed and stolen. This type of personal ‘health’ data is in fact a special category of data that is considered particularly ‘sensitive’ by nature and should benefit from additional protection against unlawful access and disclosure.

42 bitcoins for silence

In an e-mail sent to the manager of the web application, the hacker threatened to make the stolen data public if he/she did not receive 42 bitcoins (equivalent to more or less EUR 85.000).

Faced with this blackmailing attempt, the company responsible for the “Digitale Wachtkamer” decided to lodge a complaint with the computer crime specialists of the Belgian police.

A new data breach calling once more for vigilance when it comes to data security

After WannaCry and Petya, this data breach is yet another example evidencing the importance of ensuring an appropriate level of data security, taking into account the nature of the data, the scope of the processing, the identified risks, etc.

With the entering into force of the new EU General Data Protection Regulation (GDPR) on 25 May 2018, it is crucial for companies in various sectors to implement strict data security policies, measures for the (quick) notification of data breaches, as well as pseudonymisation/anonymization tools, in order to prevent and react appropriately to data breach events.

In addition, also the mandatory implementation of the “Network Information Security Directive” (NIS-Directive) by EU Member States by 9 May 2018 will have an important impact on the data security practices of undertakings in a number of specific sectors (energy, transport, banking, financial market infrastructures, health and drinking water supply and distribution, digital infrastructure, and digital service providers such as search engines, online marketplaces and cloud computing service providers).

To ensure a high common level of network and information security in these specific sectors, the NIS-Directive lays down a number of measures to be taken to prevent, handle and respond to risks and incidents affecting networks and information systems.

The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks.

***

For more information (e.g. on how and when to notify data breaches, on the implementation of adequate internal policies and procedures, or on the filing of criminal complaints against hackers), contact the authors of this newsflash or your usual contact person within Loyens & Loeff.

Commission proposal: Gas Directive to include gas pipelines to and from third countries

Gas Directive to include gas pipelines to and from third countries

The European Commission presented its proposal to update Directive 2009/73/EC (the “Gas Directive”).
read more
Customs: Refund of import duty for recalled cars repaired under guarantee

Expansion of Refund Possibilities for Recalls

This judgement confirms the conclusion of the AG and may have favourable consequences for the automotive sector.
read more
Belgian tax reform: what do I need to know as a real estate investor?

Belgian tax reform: what do I need to know as a real estate investor?

The Belgian tax reform impacts the tax rules on property. This is what you need to know as a real estate investor.
read more