Ransomware Attack: ASL Fined for Inadequate Security Measures

ASL Napoli 3 Sud (a healthcare public institution) has been subject to a fine by the Italian Privacy Authority, which imposed -through decision n. 426/2023- a penalty of €30.000 on the institution. This fine was levied for inadequately protecting the personal and healthcare data of 842.000 individuals -patients and employees- from hacker attacks.

Specifically, the healthcare facility fell victim to a ransomware-type malware attack, which restricted access to the institution’s database by introducing a virus and demanding a ransom for access restoration.

In compliance with personal data protection regulations, ASL promptly reported the data breach to the Privacy Authority, which initiated an investigation to assess the technical and organizational measures adopted by ASL both before and after the attack.

During the verification process, ASL confirmed the timeline and reported that forensic analyses reconstructed the breach starting from the initial unauthorized accesses.

Following the investigation, the Authority imposed a monetary administrative penalty of €30.000 on the healthcare institution for its failure to implement adequate security measures to promptly detect personal data breaches and ensure network security.