GDPR News

Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine

The GDPR data protection authority in the Netherlands –  Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine to Haga Hospital in the Hague. Haga Hospital has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.

In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.

The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.

The post Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine appeared first on HIPAA Journal.

ICO Proposes $123 Million GDPR Fine for Marriott

Just a few days after the UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183 million ($230 million) for its 383 million-record breach comes another financial penalty for GDPR violations.

ICO has announced its intention to fine Marriott £99 million ($123 million) for its breach of around 339 million customer records, which was discovered in 2018.

The ICO is the UK’s GDPR supervisory authority. When a data breach is experienced that results in the exposure of EU citizen’s data, the breach must be reported to ICO within 72 hours of discovery. ICO investigates data breaches to determine whether GDPR rules were violated. ICO also investigates complaints about GDPR violations from consumers.

After receiving Marriott’s breach report in September 2018, ICO launched an investigation. It is not reasonable to expect companies to be able to prevent all data breaches but, under GDPR, reasonable and appropriate security measures should be implemented to reduce the risk of a breach to a low and acceptable level.

In Marriott’s case, the breach occurred at Starwood Hotels & Resorts Worldwide in 2014 when hackers gained access to a guest reservation database. Marriott purchased the hotel chain in September 2016 but failed to discover the compromised database until September 8, 2018.

ICO determined Marriott had failed to conduct sufficient due diligence on Starwood Hotels when it was negotiating its acquisition, and Marriott should have done more to secure its systems and protect the personal information of its customers.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Marriott cooperated fully with the ICO investigation and has already overhauled its security program and has improved its security posture. Marriott has 28 days to appeal the proposed £99,200,396 fine before ICO makes its final determination. “We are disappointed with this notice of intent from the ICO, which we will contest,” said Arne Sorenson, president and CEO of Marriott.

The post ICO Proposes $123 Million GDPR Fine for Marriott appeared first on HIPAA Journal.

British Airways Faces £183 Million GDPR Fine for 2018 Data Breach

The UK Information Commissioners Office (ICO), the GDPR supervisory authority, has issued the largest GDPR penalty to date to British Airways. British Airways can appeal, but as it stands the ICO will fine the airline £183.39 million ($228 million) for security failures that led to a 2018 cyberattack on its website.

The fine surpasses the previous record of £500,000 ($623,000) issued to Facebook over the Cambridge Analytica scandal. For British Airways however, its breach occurred after May 25, 2018 – The effective date of the EU’s General Data Protection Regulation.

GDPR updated a previous EU directive and in addition to introducing a slew of new privacy and security regulations, the penalties for privacy and data security failures were substantially increased. The maximum penalty for a serious GDPR violation is now €20 million ($22.4 million) or 4% of global annual turnover, whichever is higher.

The £183 million penalty corresponds to 1.5% of BA’s global annual turnover for 2017. The maximum penalty would have been close to £500 million if its holding company, International Airlines Group (IAG), was found to be involved. The global annual turnover for IAG in 2017 was €2.27 billion.

Under GDPR, entities that experience a breach involving the data of EU citizens must report the breach within 72 hours of discovery. BA announced its breach and reported the incident to ICO on September 6, 2018, one day after the breach was discovered.

The subsequent ICO investigation uncovered security failures that were exploited by hackers to gain access to BA’s website. Code was inserted which redirected visitors to a fraudulent website where personal information and credit/debit card details were stolen. According to ICO, the personal and financial information of around 500,000 customers was stolen. ICO said the breach occurred some time in June 2018 and continued until September 5.

The fine was not issued for the breach itself. ICO has said the fine reflects the seriousness of the security failures that opened the door to the hackers.

The ICO has only issued a ‘Notice of Intent’ to fine BA. BA now has 28 days in which to launch an appeal. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of International Airlines Group.

The post British Airways Faces £183 Million GDPR Fine for 2018 Data Breach appeared first on HIPAA Journal.

AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology

Amazon Web Services’ chief technology officer, Werner Vogels, has been dispelling security myths about cloud computing at the Dublin Tech Summit in Ireland this week.

Concerns have been raised about the security of data stored in the cloud, especially following the discovery that 540 million Facebook records had been exposed on AWS: One of several high-profile data breaches that have involved AWS-stored data in the past 12 months.

Fears About Compliance and the Cloud

Companies required to comply with General Data Protection Regulation (GDPR) must ensure that the personal data of EU citizens is secured and kept private and confidential. Since GDPR came into effect on May 25, 2018, the potential penalties for data exposures have increased significantly. It is therefore understandable that companies are concerned about storing data in the cloud rather than on-premise infrastructure that they feel better able to secure.

Germany’s federal commissioner, Ulrich Kelber, spoke before Vogels at the Tech Summit and voiced his concerns about American cloud storage providers, stating that they should not be used for hosting police data as there was a risk of snooping. The federal commissioner was particularly concerned about the passing of the Cloud Act in 2018, which could allow federal law enforcement to gain access to data stored by U.S. technology companies.

Many companies in the United States are also wary about using the cloud for storing sensitive data such as protected health information, and the potential for HIPAA violations. As is the case with GDPR, the penalties for data exposure can be severe and, for small healthcare organizations, potentially catastrophic.

Vogels explained that cloud security should not be a concern and storing data on AWS is perfectly secure. His advice to all AWS users is “encrypt everything,” but at a minimum, make sure that all personally identifiable information is encrypted.

By encrypting data, companies can meet the requirements of GDPR, HIPAA, and other federal and state regulations. As for the Cloud Act, if a technology company is issued with a warrant to release data, if the AWS customer has encrypted their data using modern encryption standards, and only they hold the key to decrypt the data, it is perfectly secure. Any conversation about data access is then between law enforcement and the customer. AWS will not be involved.

Vogels also explained that AWS has improved its controls to make it harder for data to be exposed. All customer information is now closed off by default. It takes a deliberate action to remove AWS protections and leave data accessible. Should that happen, major red flags are raised.

Vogels said, “We’re very strong believers that the best way to help our customers protect themselves from whatever bad actors you can imagine is to ensure encryption is as easy to use as any other digital service.” Encryption is offered through AWS to make securing sensitive data as easy as possible.

Voice Technology Has Huge Potential

Vogels also spoke about one potential big area for Amazon. Big even by Amazon’s standards. Vogels said Amazon is not looking to invest in technologies that will add $100 million to the balance sheet. Amazon is looking for billion-dollar plus opportunities. Alexa voice technology is a prime example.

Amazon Alexa is the leading voice technology and has already found uses in healthcare. HIPAA was something of a stumbling block as the regulations covering protected health information are strict, but Amazon has recently solved that problem. Amazon is offering business associate agreements to a select group of companies and has made sure that its voice tech can transfer data securely in a manner compliant with HIPAA Rules. Last week Amazon announced that six new healthcare skills had been launched that could be used in connection with PHI. The company will be collaborating further with healthcare organizations, although by invite only at this stage.

Skills have also been developed by WebMD which allow users to ask questions about their symptoms using voice commands rather then entering information on a website. These skills are just the tip of the iceberg and the potential uses of voice technology in healthcare are huge. Alexa could even be used by people to gain access to healthcare information stored in their EHRs in the not too distant future.

Vogels certainly believes voice technology is the way forward and thinks voice commands will be the main way that people interact with digital systems in the future.

The post AWS Chief Technology Officer Allays Fears about Cloud Security and Talks about the Huge Potential of Alexa Voice Technology appeared first on HIPAA Journal.

59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued

A new report from DLA Piper indicates 59,430 data breaches have been reported to EU supervisory authorities since the GDPR compliance deadline of May 25, 2018. The majority of the data breaches have been reported in the Netherlands (15,400), Germany (12,600), and the United Kingdom (10,600).

The Netherlands saw the highest number of breaches per capita, followed by Ireland, and Denmark. It is worth noting that many non-EU companies have registered bases in EU member states and any data breaches experienced by them count toward the total for the country where their European HQ is established. Many non-EU firms, including Google, Facebook, Twitter, and Microsoft, have chosen Ireland for their European base.

Obtaining accurate numbers for data breach reports was a challenge. Official EU figures suggest that there had only been 41,502 data breaches reported between the compliance deadline and January 28, 2019; however, those figures do not include Norway, Iceland, and Lichtenstein, which are not members of the EU but are part of the European Economic Area (EEA). The official figures also only included data breaches reported in 21 of the 28 member states.

The data for the DLA Piper report came from breach notifications filed in 23 EU member states and by EEA members. Data breach reports have not been made public in Bulgaria, Croatia, Estonia, Lithuania, and Slovakia.

The number of data breaches reported so far appears higher than before GDPR came into effect. That does not mean there has been an increase in data breaches, only that more companies are reporting breaches and breaches are also being reported more quickly. GDPR requires breach notifications to be issued within 72 hours of the discovery of a breach.

Financial Penalties for GDPR Violations and Data Breaches

DLA Piper has been tracking GDPR fines since the compliance deadline. To date, 91 financial penalties have been issued. Financial penalties can be issued for any violation of GDPR. In addition to data breaches, GDPR supervisory authorities investigate complaints about privacy violations. It was such a complaint that resulted in the largest GDPR violation penalty issued to date: The €50 million ($57 million) fine for Google issued by the French supervisory authority, CNIL.

The supervisory authorities in Germany have been the most active enforcers of GDPR since the May 25, 2018 compliance deadline. 64 of the 91 fines have been issued in Germany. Those fines include the two largest financial penalties for companies that have experienced data breaches.

The chat platform Cuddles was fined €20,000 ($22,700) by the German Data Protection Authority LfDI for storing users’ passwords in clear text. LfDI also issued an €80,000 ($91,000) financial penalty to an organization that published health information on the internet – The second largest GDPR data breach fine to date.

Only a relatively small number of fines have been issued in relation to data breaches; however, many supervisory authorities are struggling with the volume of breach notices they have received and there is a considerable backlog to get through. Some data breaches reported in 2018 may still result in fines.

DLA Piper notes that the majority of the fines issued to date have been relatively low; much lower than the maximum penalty of €20 million or 4% of global annual turnover, whichever amount is higher. DLA Piper anticipates there will be several fines of tens or even hundreds of millions of euros issued in 2019 once the supervisory authorities have cleared the backlog of data breach reports and GDPR complaints.

The post 59,000 Data Breaches Reported to GDPR Supervisory Authorities: 91 Fines Issued appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Google Hit With €50 Million GDPR Violation Penalty

Google has been hit with a €50 million Euro ($56.8 million) GDPR violation penalty, the largest GDPR violation penalty issued to date.

The French GDPR supervisory authority, the National Data Protection Commission (CSIL), investigated suspected GDPR violations after receiving complaints from two privacy rights groups; La Quadrature du Net and noyb. The first of the complaints was filed on the GDPR compliance deadline, May 25, 2018.

The complaints were related to how Google processes user data for the personalizing ads. It was argued that Google did not have a valid legal basis for processing user information and had not obtained clear consent to do so.

While information about its data processing activities has been made available to users, the information is spread across several documents, so it is unclear to consumers how personal data is being processed. According to CSIL, a consumer would need to take five or six actions in order to find out essential information about Google’s processing activities related to personalized ads and, as such, users would not be able to understand how Google was processing their data.

While consent was obtained, the consent form was pre-checked, requiring users only to click to accept, which is also a violation of GDPR. When obtaining consent, users are required to manually tick check boxes when providing consent. Consent must be clearly provided through an explicit opt-in process.

The lack of transparency about how user data will be processed in relation to serving personalized adverts left consumers in the dark about the “particularly massive and intrusive” data processing that takes place in order to serve personalized ads, according to CSIL.

The extent of the GDPR violations, which are ongoing, warranted a substantial fine. The maximum penalty for serious violations of GDPR is €20 million ($22.73 million) or up to 4% of global annual turnover, whichever is greater. While the €50 million fine is substantial, it falls well short of the maximum possible fine that could have been issued: Around $4.4 billion based on an annual turnover of $110.8 billion in 2017.

The complaints to the CSIL are just two of many that have been filed against Google since the GDPR compliance deadline. Complaints have been submitted by consumer groups in several EU countries over what are viewed as deceptive privacy practices. If those complaints are substantiated, further fines can be expected.

Google has responded to the fine by issuing a statement confirming that it is deeply committed to meeting the high standards of transparency, control, and consent that is required by GDPR and will be studying the decision of CSIL to determine what steps must be taken next.

The substantial GDPR violation penalty sends a message to large technology firms and other entities that collect or process the data of EU residents that compliance with all aspects of GDPR requirements is mandatory and violators will face severe fines for noncompliance.

The post Google Hit With €50 Million GDPR Violation Penalty appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.