Share This Article
In three recent decisions, the Italian Privacy Authority sanctioned the Lazio Region after a ransomware attack suffered in the summer of 2021 that caused a shutdown of the regional healthcare system and prolonged disruption even for several months.
The Ransomware Attack suffered by the Lazio Region
The summer of 2021 was marked by a major cybersecurity incident that affected the Lazio Region’s healthcare system, with direct consequences on the availability of essential services and the management of the healthcare data of millions of citizens. On the night of July 31-August 1, in fact, a ransomware attack seriously compromised systems, causing a significant halt to daily healthcare operations. This incident prompted a decisive response from the Data Protection Authority, which imposed fines totaling 401,000 euros on several responsible entities.
The Dynamics of the Cyber Sttack
The malware, introduced via an employee’s laptop, paralyzed numerous essential services: from managing medical bookings to picking up referrals and registering vaccinations. The blockade lasted from a minimum of 48 hours to several months for some functions, highlighting, in the view of the Italian privacy authority, significant gaps in the IT security managed by the IT provider of Lazio Region, the company in charge of regional information systems, and the Lazio Region itself.
Privacy violations and sanctions following the ransomware cyber attack
The Italian data protection authority, through extensive investigations and inspections, found that both the Lazio Region and its IT provider had committed serious violations of privacy regulations. These violations stemmed mainly from the use of outdated systems and the lack of adequate security measures to prevent and detect personal data breaches in a timely manner.
Consequently, the Privacy Authority sanctioned both parties impacted by the ransomware attack issuing fines totaling 401,000 euros for
- failure by the IT provider to take adequate preventive and reactive measures;
- lack of supervision by the data controller on its processor.
These violations led to an inadequate response during the attack, with Lazio Region’s IT provider deciding to shut down all systems without knowing which were compromised or how to contain the spread of the malware. This exacerbated the impact of the attack, prolonging the unavailability of essential health services and
With the sanctions imposed, the Italian privacy authority took a dangerous stance that seems to extend to data controllers a sort of strict liability for any misconduct by data processors. Indeed, it seems that the Garante went beyond the liability regime provided by the GDPR.
On a similar topic, you can read the article “How to deal with a data breach following a ransomware cyberattack?“.