Centric Healthcare has been fined €460,000 by the Data Protection Commissioner over a ransomware attack in 2019 that saw patient data encrypted by hackers.
The attack, which restricted access to patient data, hit 11 Primacare GP practices, which Centric Health acquired in 2016. At the time, the practices were being integrated into Centric Health’s IT system.
The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack.
Dublin-headquartered Centric offers GP, specialist care and dental services, to more than 400,000 patients throughout the State.
The attack took place on December 3rd, 2019, when staff lost access to the patient administration system. A subsequent investigation discovered malware on the system, which was identified as Calum ransomware, which encrypts data and asks for payment to decrypt it. Back-ups of the system were also affected by the ransomware.
Among the data categories affected were the names, dates of birth, PPS numbers and contact details of the patients.
The DPC was informed of the breach on December 5th, and Centric later informed the 2,500 patients about the deletion of their data.
Although the DPC noted the action taken by the company to resolve the data breach, it also considered some of the actions to have aggravated the damage suffered by the affected patients, namely that the deletion of some information from the hard drive before it could be analysed by experts may have also removed information that could have helped assess the extent of the breach.
The DPC rejected arguments from the company that this view could dissuade data controllers from taking mitigating action following a data breach for fear of being punished for human error.
In a statement, the company said although access to patient data was restricted for a short time, there was no evidence to suggest patient data had been read or copied by criminals.
“Immediately following the attack, we made every possible effort to regain access to the data as quickly as possible. While this work was being done, data belonging to some patients was inadvertently deleted and we notified all of these patients at that time,” the company said. “We want to assure our patients that we take our responsibility to protect their data and ensure the security of our IT systems very seriously. We are doing everything we can to mitigate against any potential future criminal attack. We continue to invest significantly in our cybersecurity and data protection processes and procedures and are operating in line with international best practice in these areas.”
Centric Health said it had co-operated fully with the DPC investigation.