The digitalization of healthcare services is generally applauded, as it leads to increased efficiency, better quality of care, lower administrative costs, and patient empowerment.
However, the digitalization of such services is not without risk from a data protection perspective, in particular given the ‘sensitive’ nature and strict legal protection of personal health information.
Belgian doctors and hospitals have recently learned the hard way that they are indeed a hacker target.
There are, of course, significant benefits to the digitalization of healthcare services: increased efficiency, better quality of care, lower costs, patients’ empowerment, and tailor-made follow-up are only a few examples.
However, when digitalizing healthcare services, one must remain aware of the risk this entails from a data protection perspective. Personal health information is often very sensitive and is therefore also protected by a very strict legal regime. This type of information includes patient records held by a doctor or hospital, but also certain information included employee records (e.g. relating to sick leave).
What happened?
Some 500.000 Belgian doctors and hospitals recently learned the hard way that their patient data was seemingly inadequately protected against hacking attacks.
An unknown hacker managed to steal certain patient data via the Flemish website “Digitale Wachtkamer”, a website / online tool allowing patients to set up appointments with their doctor.
The hacker was able to access the email addresses, phone numbers as well as the passwords of the patients. Moreover, and perhaps even more disturbing, the hacker also managed to retrieve the personal messages sent by the patients via the website, accompanying their request for an appointment. In some cases, this meant that the medical reason(s) for the appointment were accessed and stolen. This type of personal ‘health’ data is in fact a special category of data that is considered particularly ‘sensitive’ by nature and should benefit from additional protection against unlawful access and disclosure.
42 bitcoins for silence
In an e-mail sent to the manager of the web application, the hacker threatened to make the stolen data public if he/she did not receive 42 bitcoins (equivalent to more or less EUR 85.000).
Faced with this blackmailing attempt, the company responsible for the “Digitale Wachtkamer” decided to lodge a complaint with the computer crime specialists of the Belgian police.
A new data breach calling once more for vigilance when it comes to data security
After WannaCry and Petya (see our previous newsflash on the subject), this data breach is yet another example evidencing the importance of ensuring an appropriate level of data security, taking into account the nature of the data, the scope of the processing, the identified risks, etc.
With the entering into force of the new EU General Data Protection Regulation (GDPR) on 25 May 2018, it is crucial for companies in various sectors to implement strict data security policies, measures for the (quick) notification of data breaches, as well as pseudonymisation/anonymization tools, in order to prevent and react appropriately to data breach events.
In addition, also the mandatory implementation of the “Network Information Security Directive” (NIS-Directive) by EU Member States by 9 May 2018 will have an important impact on the data security practices of undertakings in a number of specific sectors (energy, transport, banking, financial market infrastructures, health and drinking water supply and distribution, digital infrastructure, and digital service providers such as search engines, online marketplaces and cloud computing service providers).
To ensure a high common level of network and information security in these specific sectors, the NIS-Directive lays down a number of measures to be taken to prevent, handle and respond to risks and incidents affecting networks and information systems.
The notification duty, preventive measures, and sanctions provided by the NIS-Directive (as well as the data breach reporting obligations under the GDPR) should lead to more transparency and awareness regarding cybersecurity risks.