You are here:
24 July 2017 / article

Data breach incidents: new attack targets health sector

The digitalization of healthcare services is generally applauded, as it leads to increased efficiency, better quality of care, lower administrative costs, and patient empowerment. However, the digitalization of such services is not without risk from a data protection perspective, in particular given the ‘sensitive’ nature and strict legal protection of personal health information.

2017 is the year of data breach incidents new attack targets health sector

Belgian doctors and hospitals have recently learned the hard way that they are indeed a hacker target.

There are, of course, significant benefits to the digitalization of healthcare services: increased efficiency, better quality of care, lower costs, patients’ empowerment, and tailor-made follow-up are only a few examples.

However, when digitalizing healthcare services, one must remain aware of the risk this entails from a data protection perspective. Personal health information is often very sensitive and is therefore also protected by a very strict legal regime. This type of information includes patient records held by a doctor or hospital, but also certain information included employee records (e.g. relating to sick leave).

What happened?

Some 500.000 Belgian doctors and hospitals recently learned the hard way that their patient data was seemingly inadequately protected against hacking attacks.

An unknown hacker managed to steal certain patient data via the Flemish website “Digitale Wachtkamer”, a website / online tool allowing patients to set up appointments with their doctor.

The hacker was able to access the email addresses, phone numbers as well as the passwords of the patients. Moreover, and perhaps even more disturbing, the hacker also managed to retrieve the personal messages sent by the patients via the website, accompanying their request for an appointment. In some cases, this meant that the medical reason(s) for the appointment were accessed and stolen. This type of personal ‘health’ data is in fact a special category of data that is considered particularly ‘sensitive’ by nature and should benefit from additional protection against unlawful access and disclosure.

42 bitcoins for silence

In an e-mail sent to the manager of the web application, the hacker threatened to make the stolen data public if he/she did not receive 42 bitcoins (equivalent to more or less EUR 85.000).

Faced with this blackmailing attempt, the company responsible for the “Digitale Wachtkamer” decided to lodge a complaint with the computer crime specialists of the Belgian police.

A new data breach calling once more for vigilance when it comes to data security

After WannaCry and Petya, this data breach is yet another example evidencing the importance of ensuring an appropriate level of data security, taking into account the nature of the data, the scope of the processing, the identified risks, etc.

With the entering into force of the new EU General Data Protection Regulation (GDPR) on 25 May 2018, it is crucial for companies in various sectors to implement strict data security policies, measures for the (quick) notification of data breaches, as well as pseudonymisation/anonymization tools, in order to prevent and react appropriately to data breach events.

In addition, also the mandatory implementation of the “Network Information Security Directive” (NIS-Directive) by EU Member States by 9 May 2018 will have an important impact on the data security practices of undertakings in a number of specific sectors (energy, transport, banking, financial market infrastructures, health and drinking water supply and distribution, digital infrastructure, and digital service providers such as search engines, online marketplaces and cloud computing service providers).

To ensure a high common level of network and information security in these specific sectors, the NIS-Directive lays down a number of measures to be taken to prevent, handle and respond to risks and incidents affecting networks and information systems.

The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks.

***

For more information (e.g. on how and when to notify data breaches, on the implementation of adequate internal policies and procedures, or on the filing of criminal complaints against hackers), contact the authors of this newsflash or your usual contact person within Loyens & Loeff.



Class/collective actions in Belgium: overview

Class/collective actions in Belgium: overview

A Q&A guide providing an overview of class actions in Belgium, including the legal framework, current trends and the recent extension to SMEs. read more
The rise of the Code of Companies & Associations

CJEU rules on 'tender shaping' practices in the medical device sector

On 25 October 2018, the CJEU ruled in Case C-413/17 on the margin of discretion of contracting authorities to establish technical specifications in relation... read more
Alcohol at New Year’s reception

Alcohol at New Year’s reception: what risks do you face as an employer?

The period of New Year receptions at work is approaching again. Do you, as an employer, have to take precautions to limit alcohol consumption? Who is liable... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Subscribe