Garante per la protezione dei dati personali (Italy) - 10058595

From GDPRhub
Garante per la protezione dei dati personali - 10058595
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33(1) GDPR
Article 34(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.07.2024
Published:
Fine: 22,000 EUR
Parties: Azienda ULSS 6 Euganea
National Case Number/Name: 10058595
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

The DPA fined a health authority €22,000 after inadequate technical measures led to the unauthorised access and disclosure of several patients' health data.

English Summary

Facts

The controller, a health authority managing several hospitals and other health facilities, experienced a cyberattack. The latter led to the unauthorised access to files stored in the controller's servers. These files contained personal data of both employees and patients, including medical documents and images.

The controller notified the data breach to the DPA under Article 33 GDPR. Moreover, several data subjects filed a complaint with the DPA.

The controller argued that it was in the process of updating its IT system and improving its security measures. Moreover, it pointed out that data subjects were notified as soon as the breach was discovered.

Holding

First, the DPA considered that the data breach notification to itself and data subjects was made without an undue delay and, therefore, did not find a violation of Article 33 and 34 GDPR.

However, the DPA noted that the controller did not implement appropriate measures to ensure that it could timely learn about unauthorised accesses to the IT system. Therefore, it found a violation of Article 5(1)(f) GDPR in combination with Article 32(1) GDPR.

Secondly, the DPA held that the technical and organisational measures implemented by the controller to avoid cyberattacks were not adequate. For example, two-factor authentication was not implemented. Therefore, the DPA found a violation of Article 5(1)(f) GDPR in combination with Article 32(1) GDPR.

On these grounds, the DPA fined the controller €22,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

[web doc. no. 10057610]

Provision of 17 July 2024

Register of provisions
no. 444 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code”, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

HAVING SEEN Legislative Decree no. 101 of 10 August 2018, containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Data Protection Authority, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Authority Regulation no. 1/2019”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Data Protection Authority Regulation no. 1/2000 on the organization and functioning of the office of the Data Protection Authority, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. The breach of personal data and complaints

On XX, the ULSS 6 Euganea Company, hereinafter “Company”, sent to the Authority, pursuant to art. 33 of the Regulation, a notification of breach of personal data - subsequently integrated with notes of XX and XX, XX and XX, XX and XX - regarding a cyber attack, determined by a ransomware malware (XX), on the information systems of the same.

Taking into account the high number of interested parties involved and the nature of the personal data subject to the breach, it was deemed necessary to investigate the circumstances in which the aforementioned breach of personal data occurred, as well as the security measures adopted, through an inspection activity against the Company in the month of XX.

With regard to the same matter, between XX and XX, some requests were received from citizens who, informed of the event that had occurred, contacted the Authority.

2. The breach of personal data

2.1. The fact

The circumstances relating to the violation of personal data were represented by the Company both in the notification to the Authority, carried out, in phases, pursuant to art. 33 of the Regulation, and during the aforementioned inspection activity. In particular, the following emerged.

2.1.1. Notification of the violation to the Guarantor

With the preliminary notification of XX, the Company declared that it was the victim of a “hacker attack detected by the company information systems at 3:00 on XX which prevents access and availability to some company applications (infrastructure, hospital, administrative, territorial) whose precise identification and impact are being defined”, specifying that “an initial analysis highlights the involvement of the server farm of the peripheral ULSS 6 Euganea headquarters in Via Marconi […] Monselice (PD) and of the Camposampiero Hospital (PD)” (see, notification of XX, section XX).

Subsequently, with a note from XX, the Company updated the information regarding the breach by providing a copy of the Incident Report of the Company XX S.p.A. from which it is clear that "the attacker accessed the internal network via XX [...]. There are also accesses via the Fortinet VPN, but there is no useful information on the Fortinet logs [...] server XX identified by the name "XX", on which the malicious program "locker_ce066f3fade586a6_ESXI_Linux" performed encryption operations on the virtual machines and added the extension "lockbit" to the names of these files [...] through the use of domain admin accounts, the attacker used the PSEXEC tool to distribute, on the identified systems, the encryption tool (xxx). This tool deactivates various security and backup systems and then encrypts the files. [...] The attacker also accessed VmWare systems; in this case the root user was used directly and an ad hoc program was used (locker_ce066f3fade586a6_XX Linux), distributed by the XX il XX group on dark web channels. The tool suspended the various VMs and encrypted the datastores […] the attacker distributed an ad hoc executable (sender.exe) that has the task of collecting files (".doc, .docx, .xls, .xlsx, .xlsm, .pdf, .msg, .ppt, .pptx, .sda, .sdm, .sdw, .csv, .zip, .json, .config, .ts, .cs, .sqlite, .aspx, .pst, .rdp, .accdb") that fall into the following conditions: those modified in the last 6 months, those older than a year, but modified in the last 6 years. Once collected, these files are sent to an external IP (104.248.142[.]137) via SFTP and WebDav” (see notification of XX,XX).

In addition to what was previously notified, on XX, the Company has further updated, on the basis of the “2nd OPINION REPORT - AULSS 6 Euganea IT Incident - v.1.1 of XX” prepared by Yarix s.r.l., the information about the violation reporting that “the analysis carried out, although influenced by the lack of some useful elements, has allowed us to identify in the attack suffered […] the work, almost contemporary, of two different TA (Threat Actor): in the attacked systems, in fact, traces of two different ransomware gangs, XX and XX, were found. […] the first activities attributable to potential unauthorized access to the infrastructure […] have been traced back to XX, the day on which, from the available elements, the first access was made from one of the IP addresses associated with the attackers. Starting from XX (…) further activities associated with the attackers were detected which led to the actual encryption of the data which occurred on the night of XX. In this regard, the detected attack is very singular […] since (…), the two TAs operated in an almost overlapping timeline, but accessed the systems from two different entry points (VPN on Fortigate device for XX and VPN on XX device for XX) and performed the encryption on different portions of the infrastructure (XX). English: The checks on the actual exfiltration, unfortunately marred by the absence of useful data (logs) in some of the systems analyzed, did not allow us to determine with absolute certainty whether this occurred, even if the intelligence information collected by the Cyber Threat Intelligence team allowed us to ascertain that XX e has, if nothing else, a list of files compatible with what is present in the systems of AULSS 6 Euganea”. It was also stated that “this short list, which lists the potential exfiltration of approximately 17,000 documents containing personal and non-personal data, is currently being constantly examined by the Information Systems of AULSS 6, in order to confirm the actual correspondence of the files in the possession of TA with those of the company and to be able to subsequently provide any precise communication to the interested parties, also providing tools to support their rights and freedoms. A detailed analysis of these documents, potentially exfiltrated, was started by a multidisciplinary task force, appointed by the Company Management and specifically trained […]”. The Company, "having examined the second opinion report of Yarix, and assessed the list of unexamined artifacts, intervened with the contractors involved in the services related to the security of the company's infrastructure perimeter (services attributable to the supplier XX spa) and made seven machines available to Yarix s.r.l. for the purpose of completing the analysis activities. The Cyber Threat Intelligence findings are reported below as per the report of Yarix s.r.l. of XX, an integral part of the aforementioned report: "During the Cyber Intelligence activities, the Yarix Cyber Threat Intelligence team (YCTI) identified, through the undercover profiles of its analysts, the compromise of three hosts with access to the following internal portals belonging to the AULSS6 perimeter: from the first analyses conducted on the identified data, it is clear that the information was collected by three info-stealer instances of the Redline family active on the machines for a certain period. The transmission of information to the C&C occurred on the following dates: Host 1: XX: XX: XX. The date of transmission of the information by the malware does not demonstrate that the credentials are still valid or that they were used on that specific date: it is possible, for example, that the malware collected and sent to the C2 server all the credentials saved in the browser up to that moment. Host 1 contains one of the credentials identified during the analysis of the XX incident as a VPN entry point for XX (user XX), and it is therefore plausible to assume that the same was the object of purchase and sale for the purposes of the attack itself" (see notification of XX, XX).

As a further integration regarding the publication of data by the XX group, the XX Company intended to attach the “Cyber Intelligence Report” of the XX and the “2nd OPINION REPORT - AULSS 6 Euganea IT Incident - rev. XX” prepared by Yarix s.r.l. (see notification of the XX, section XX).

Finally, with a note of the XX, the Company highlighted what was present in the “2nd OPINION REPORT - AULSS 6 Euganea IT Incident - rev 1.3 of XX” prepared by Yarix s.r.l., in the part where it was reported that “on XX, following some further details provided during the analysis […] a FortiAnalyzer (FAZVM64) LOG collection system was identified and acquired at the Padova Colli headquarters, which was in production during the incident[…]; the analyses allowed to detect the presence of traffic towards the exfiltration IP from the FW-SCRO14-DC firewall. Specifically, in the time frame between 00:52:10 and 02:12:28 on day XX, outgoing traffic was detected from 18 clients belonging to the ULSS17 domain […]; the traffic analysis allowed to detect a data transfer of approximately 700 MB” (see notification of XX, XX).

2.1.2. The inspection activities

During the inspection activities, the Company, in confirming “the analysis carried out by YARIX with particular reference to the timeline of the document “2nd opinion report - AULSS 6 Euganea IT incident” version 1.3 - XX”, specified that “the first accesses of the malicious actor, via VPN, date back to the month of XX, following which the threat actor XX then proceeded with the typical actions of a cyber kill chain”; that "on XX at 2:37 the help desk, following the receipt of a report of a malfunction in the ticketing system, activated the on-call system support of the infrastructure management provider. Subsequently, the XX company of the XX group, specialized in IT security, was involved" and that "the ULSS, not having any systems engineers among its employees, requested a second opinion regarding the security incident from the YARIX company, a leader in the sector, due to its position of third party and absence of conflict of interest" (see minutes of XX, page XX).

With regard to the extent of the violation with reference to the company's healthcare and administrative-accounting applications, the Company stated that "the administrative-accounting applications were not involved and the virtualization console of the healthcare applications as well as part of the workstations were encrypted. Despite the complexity of the Company's technological infrastructure, composed of numerous and different physical and virtual devices, biomedical equipment, examination equipment for the various hospital specialist areas, it was possible to restore company operations in a short time. This with a service continuity plan, a continuous evaluation of the priorities and the progress of the activities carried out by the various work groups and crisis units, and with the involvement of all available human resources". The owner also intended to clarify that "[the published data] were not extracted from the databases but came from the workstations of employees who had saved personal documents or work lists (e.g. hospitalizations, discharges) or patient records locally, sometimes in draft or incomplete and not catalogued, contrary to the instructions [...] which exclusively provided for the use of "shared folders" or dedicated systems"; that "the institutional website of the Company has always been functional" and that "the provision of services to users and the administration of healthcare services have not suffered any interruption since the procedures envisaged in the event of a disaster were adopted. In any case, following the restoration of the technological infrastructure, all data relating to the activities carried out in emergency mode were transferred" (see minutes of XX, pages XX and XX).

With regard to the number of data subjects whose health data were affected by the attack, the Company stated that “the task force was able to precisely delimit the perimeter of the breach in terms of quantity of personal data, types of personal data and types and number of data subjects, detecting lower numbers than expected at the beginning of the data breach (no. of data subjects 9,520, instead of 23,886 – no. of files 5763 instead of 32,555)” (see notification of XX, section XX).

Finally, the Company provided an integration to the technical report of the XX task force attached to the notification of XX, declaring that the number of data subjects involved “is substantially lower” (see note of XX to resolve the reservations of the XX inspection, annex XX).

2.2. Measures in place at the time of the breach

2.2.1. Notification of the violation to the Guarantor

With reference to the measures in place at the time of the violation, the Company declared:

-  that “the AULSS6 derives from the unification of three former ULSS each with its own different information system, the most significant action was the consolidation, unification and securing of a single new domain AULSS6 Euganea and progressive cessation of the old domains and non-unified systems; perimeter security is guaranteed by the use of IPS, antivirus, web filtering, certification inspection on dedicated systems. Only defined and authorized software is installed on the workstations in the AULSS6 Domain and access with Local Admin is not permitted. The methods of using the PDL and more generally the IT tools” are defined “by company regulations. The preparation of the machines (servers and PDLs) occurs using standard templates archived offline and accessible only to the interested personnel. Access to the servers occurs exclusively with administrative users and to the PDLs only with prior authorization. Administrative users have passwords XX (XX). For the control and monitoring of the workstations, the XX system is active for both client and server, while for the inventory part the XX system is used; the Log management system (XX managed by a specialized company) is already active on the most relevant systems. With regard to the security copies, daily full and incremental backup is active on all physical, virtual and database systems: this has in fact allowed for rapid and safe recovery. With regard to the vulnerability assessment, a service is active with a specialized company, performed at least monthly and consequent corrective actions reported to the main players in order to intervene to overcome the reported vulnerabilities. For all the new workstations that support the functionality, the anti-malware scanning function of removable media has been activated as well as the filtering of email messages and web traffic using the regional Google Cloud services. In particular, the security copies are managed with the following systems: XX with the relative backup policies (incremental daily, synthetic weekly) for the Database part XX the Backup takes place on the XX platform (Full daily Backup and hourly archive log). With Resolution no. 709 of the XX, the Security Program Document was adopted, which reports an intense improvement plan aimed at increasing the average and maximum security measures with particular reference to the AgID circular 2/2017 and the FNSI, including a training plan in agreement with the DPO for all information systems personnel";

- to have "undertaken, starting from 2018, targeted training courses, addressed to the Management and dependent staff, aimed at increasing and strengthening the knowledge and diligent conduct to be implemented in the field of privacy, data protection and information security. This is due to both the advent of the EU legislation referred to in the GDPR, and in light of the reorganization of the Regional Health System, referred to in regional law no. 19/2016 and effective from 1 January 2017, which provided for the unification of the health companies AULSS 15, 16 and 17 in AULSS 6 Euganea and led to the launch of a new corporate information system and personal data management, as well as the definition of a new corporate privacy system”;

- which “has implemented and keeps updated all the organizational measures referred to in the GDPR regarding the appointment of authorized persons pursuant to art. 29 GDPR and 2-quaterdecies CP, as data controller pursuant to art. 28 GDPR and in relation to the designation of the DPO, as well as through the preparation of data breach and risk assessment procedures, applied during the accident in question” (see notification of XX, section XX, point XX).

2.2.2. Inspection Activities

With regard to the computer authentication procedures used in the context of VPN access and to the workstations in place at the time of the violation and the password policies envisaged for the different types of users, the Company, during the inspection activities, declared that:

− “at the time of the personal data violation, multi-factor computer authentication procedures were not envisaged for access to the network and systems managed by the Company via VPN”;

− “the ULSS had prepared a regulation for remote access […] and that on XX a “Programmatic Document on Security” had been approved to enhance security measures and adapt them to the minimum AgID measures […] this document envisaged, among other things, the measure of two-factor authentication for VPN access”;

− “non-privileged users are registered in the Identity Management (IM) platform (XX) of the supplier XX and then in the Active Directory, the credentials are made up of XX. Personnel performing administrative functions have two users, one non-privileged and one with administrative privileges (XX) and connect to the systems via RDP or SSH”;

− “non-administrative users have the following password policy: XX. Compliance with the policy is ensured by the IM platform controls. Privileged users have a password policy of XX with the same rules”;

− “following the unification, the ULSS had undertaken a process of normalization of the infrastructures (over XX servers), workstations (approximately XX), domains and policies which however was interrupted due to the pandemic”;

− “the former ASL 15 and 17 were equipped with obsolete infrastructures”;

− “the old firewalls of the former ASL and the old VPNs were still present, to ensure operational continuity, usually updated by technicians, except in specific cases and motivated by the same” (see minutes of XX, pages XX, XX and XX).

In this regard, the Company then confirmed that "on XX, at the time of the attack, the password management logic for accounts with elevated privileges implemented on the XX domain responded, in accordance with AGID best practices, to the security posture rules reported below: XX" (see note from XX to resolve the reservations of the inspection of XX, see, in particular, attachment no. XX and also XX and XX).

With reference to the security measures, in place at the time of the personal data breach, relating to the segmentation of the networks, the Company declared that "the servers of the ASL ex 16 and ex 17 were certified on a dedicated VLAN and different from the one where the workstations were certified and a new environment was being prepared starting from the 3 Data Centers of the 3 ASLs" (see minutes of XX, page XX).

With regard to the technical and organizational measures adopted to ensure the availability and resilience of the processing systems and services, as well as the timely restoration of the availability and access to personal data in the event of an incident, the Company declared that:

− “a system monitoring system was present but not a control room”;

− “the SGM service for the management, maintenance and management of equipment did not include automated analysis and monitoring tools for security events”;

− “the weekly sending of the XX VPN logs to the XX mailbox was not active because, during the activities resulting from the unification and consolidation of the systems of the 3 ASL, a reconfiguration of the email communications of the equipment to a single collection point was in progress and, therefore, it is assumed that the aforementioned log was involved in this migration phase”;

− “it had been using the XX backup system since XX” (see minutes of XX, pages XX and XX).

Subsequently, the Company specified that "at the time of the attack, heterogeneous and differentiated rules were in operation for each firewall in relation to the storage capacity of the devices and the traffic recording rules. With reference to the storage of logs, relating to the activity of system administrators, XX in line with the relevant Provisions requires all its suppliers to "mandatory keep a copy of the access logs and defined operations for a period of no less than 6 months", as per the "General Conditions of Information Security relating to third parties" in the version updated to XX. With reference to the XX firewall, the storage of access logs was 6 months. Finally, with reference to the Fortinet firewall logs, the storage was 60 days. It should also be noted that even before the dates of the attack, a negotiation was underway between XX and the Administration regarding the expansion of the storage space of the Fortinet Firewalls, as proposed to the administration […] to XX" (see XX's note to resolve the reservations of the XX inspection, Annex XX).

2. 3. Measures adopted following the violation

2.3.1. Notification of the violation to the Guarantor

With reference to the measures adopted following the violation, the Company, in the context of the notification of the violation, carried out pursuant to art. 33 of the Regulation, represented that:

“an IT company expert in reacting to cyber attacks was promptly involved and is currently and urgently carrying out a preliminary analysis of the event to assess the impact and the consequent remedial and recovery actions for the containment and reduction of the effects of the violation” (note of XX);

“among the immediate actions to mitigate the damage, in addition to the total blocking of network services and access to internal and external services, internal procedures have been produced to prohibit the use of company systems and to reactivate essential services with alternative methodologies and the supply of reliable tools, a team of over 60 IT technicians has been organized to clean up workstations, a Crisis Unit has been set up with all the necessary skills to best manage both the damage mitigation interventions and the consequent organizational interventions related to the prompt resumption of essential health services (Emergency Room, Laboratory, Pathological Anatomy, Radiology, etc.). Furthermore, companies with expertise in the reference sector have been involved, including Scudomed S.r.l., for the profiles relating to privacy and data protection consultancy, and Yarix S.r.l., for the IT and cyber security profiles, also for a technical second opinion activity regarding the data breach. A “LAWYERS” working group has been set up, composed of the Administrative Director of AULSS 6 Euganea, the Director of the UOC General Affairs of AULSS 6 Euganea, the DPO of AULSS 6 Euganea, and also external professionals with legal backgrounds who are experts in criminal law, administrative law, privacy compliance and cybersecurity for the multidisciplinary management of the incident and notifications to different bodies/organizations; the working group meets daily and reports to the General Management with the same timing. The Postal Police - Department for Veneto was promptly informed, already on XX (note of XX);

the second opinion report of XX prepared by Yarix s.r.l. was recalled with a note of XX. which highlighted that the "installation of an XDR (eXtended Detection and Response) tool along the entire perimeter had been carried out, aimed both at ensuring the identification of any latent threats present within the network and at providing the necessary support for the removal of potential residual components resulting from the compromise"; the "activation of a continuous monitoring service of the internal perimeter of AULSS 6 through the Yarix Security Operation Center operating 24/7 to ensure the management, analysis and management of any security event that occurs within the perimeter under control"; the "activation of a continuous monitoring service of the external perimeter (Cyber-space) relating to the digital profile of AULSS 6 through the Yarix Cyber Threat Intelligence team, in order to identify, through OSINT (Open Source INTelligence) and CLOSINT (Closed Source INTelligence) activities on the clear, deep and dark web, events that can be correlated to the attack suffered by AULSS 6, as well as potential leaks of data and/or other exfiltrated information";

these measures “were undertaken and constantly monitored by the corporate ITC group and the governance together with the consultants and companies involved in managing the emergency, determining, from time to time, a series of measures from a by design perspective, in the execution of disaster recovery activities, in order to ensure the full implementation of the principle of business continuity. The latter has proven particularly effective in the actions of restarting the main management systems capable of ensuring the continuity of patient care, the procurement of life-saving drugs, the efficiency of the analysis laboratories and the Emergency Departments as the main corporate operating structures” (see notification of XX, section XX points XX and XX);

“with resolution no. XX of XX, the new Regulation for the use of IT systems was adopted, distributed according to the methods envisaged for the disclosure of corporate documents. Operating procedures and instructions were also reviewed and distributed to implement corporate policies. The annual corporate training plan was also updated by including in-depth sessions on the new policy for all company personnel” (see notification of XX, section XX, point XX);

English: With regard to technical and organizational measures to prevent similar future violations, the following measures were indicated: “a) updating the company privacy system […] given the complexity of the company, for which there are still ongoing activities to review the organizational processes resulting from the merger of the three former Padua health companies (ULSS15 - ULSS16 - ULSS17) and the managed treatments, as well as within the continuous improvement process, foreseen and also represented in the 2022-2024 performance plan and in the directive document for the year 2022, the need was identified to redefine the company privacy system in the Personal Data Protection Company Management System (SGA PDP) and to set up a multidisciplinary support team in order to give greater impetus to the path undertaken and ensure operational support capable of supporting the data protection system by demonstrating the capabilities and aptitude of the entire organization to enhance and protect the information assets, ensuring the monitoring and continuous improvement of processes and procedures. The team has been assigned analysis and support functions to the company personal data protection office (formerly privacy office), in coordination with the DPO. The aim is to ensure multidisciplinary support so as not to lose sight of the protection objective and to maintain the efficiency of the set of security measures adopted over time, improving it if and when necessary. b) Adherence to PDR 43:2018: The Company Management has activated the process to achieve certification of adherence to the "Guidelines for the management of personal data in the ICT sector according to EU Regulation 2016/679" with the aim of improving actions for the correct processing of personal data of the Company Management System for Personal Data Protection, laying the foundations for certification mechanisms as recommended by art. 42 of European Regulation no. 679/2016. c) ISO 9001:2015 and 27001:2017 certifications: The Company Management has started the process for adhering to the quality management model for information security in order to redefine processes and tools connected to them from the perspective of information security and obtain ISO 9001:2015 and 27001:2017 certification following alignment of the information systems activity with the indications provided by the legislation on personal data protection. This is in order to allow the free and safe circulation of personal data within the SGA PDP. d) Training: diversified training courses have been intensified for all company personnel as well as for the multidisciplinary team” (see notification of XX section XX, point XX).

2.3.2. Inspection Activities

During the inspection activities, the Company stated that “following the breach, XX activated the multi-factor computer authentication procedure for access to the network and systems managed by the Company via VPN, with a second factor of XX” and that “the instructions for activating the VPN with MFA were provided to employees via email” (see XX minutes, page XX). Furthermore, the Company stated that “following YARIX’s suggestions, contained in the second opinion report, a structured SIEM was activated that collects the various logs being consolidated, first with temporary assignments and subsequently in the new contract in force with XX”, that “the XDR system of the XX company was adopted” and “starting from the end of XX, a series of security measures were activated, including the XX XDR tool, monitored 24/7 by the YARIX SOC, to protect end points, to respond to and combat threats; a SIEM log collection system to monitor all security events; an analysis service for the collection of intelligence information from open and closed sources (OSINT and CLOSINT) in order to identify any data exfiltration, compromise of accounts and users as well as other potential threats relating to the perimeter agreed with the ULSS (XX)” (see minutes of XX, pages XX and XX).

With regard to organizational measures, the Company highlighted that “the process of reviewing the procedures already underway has undergone an acceleration that has led to the definition of a Personal Data Protection Company Management System (SGA PDP) […]. Following the incident, the network of contacts who dealt, among other things, with procedures and clinical risk, acquired the additional expertise of data protection with appropriate training to establish an observatory in the field both to intercept anomalies but also to better regulate new projects and activities that may have an impact on data protection. The network currently consists of XX people. A multidisciplinary team (skills in data protection, ICT security, medical, human resources, etc.) was also set up, trained with an 80-hour course - with specific modules on topics including consent, scientific research, medical apps, medical devices, artificial intelligence - in addition to the annual training plan for all employees that already included data protection and ICT security topics [...]. It also adopted the XX tool which, in addition to making available all the procedures and documentation necessary to inform employees, collects reports from the network of referents and which will soon be extended to all staff, for a fast and centralized collection of data from individual UOs, conveyed at company level to the RPD and strategic management. This tool is therefore used to raise staff awareness and distribute documents of all updated procedures that employees must read. The reports collected through this tool are analyzed by the Quality office which, if necessary, involves the multidisciplinary team and the RPD”, which has “set up a privacy office, separate from the RPD, which deals, among other things, with compliance activities, first drafting of VIP, information, and is in close contact with the multidisciplinary team and the company’s top management” and which “has undertaken a process to obtain ISO 27001 and UNI PdR 43:2018 certification” (see minutes of XX, page XX).

With reference to data and system recovery operations, the Company, during the inspection activities, declared that “since XX the ULSS has set up a crisis unit to manage the incident”; that “within 15 days everything that was a priority had been restored, in particular with an impact on the care and healthcare services of the patients” and that “at the end of December the ULSS had cleaned up all the workstations. The various management systems were made operational only after functional testing, documented by an appropriate report signed by the supplier and also authorised by the information systems management. On this occasion, some security measures for the systems themselves were also adjusted, where deemed necessary. The activities were concluded within a month. The crisis unit set up suspended daily meetings on XX because the situation was now under control” (see minutes of XX, page XX and of XX pages XX and XX).

2.4. Communication of the breach to the interested parties

In relation to the communication of the breach to the interested parties, the Company preliminarily stated that it had made a “social communication via the company’s institutional Facebook channel” on the morning of XX regarding the hacker attack and the blocking of IT services (see notification of XX, section XX, point XX) and, subsequently, stated that “a multidisciplinary task force (IT profile, privacy profile, health profile-clinical risk), specifically appointed and trained to carry out the activity, is carrying out a detailed analysis of the potentially exfiltrated documents, containing personal and non-personal data” and illustrated “the additional tools planned […] to be able to provide any specific communication to the interested parties, also providing tools to support their rights and freedoms through: a general communication, published on the company website, divided into clusters in relation to the different types of documents containing personal data, which could be exfiltrated based on the evidence of the short list; the short-term activation of a clustered multifunction toll-free number to obtain initial summary information regarding the position of each data subject for the exercise of rights regarding the processing of their personal data and any actions and behaviors to be adopted in order to weaken the impact of the incident on the rights and freedoms of the data subjects” (see notification of XX, section XX point XX and XX, point XX) confirming that the planned tools had been implemented (see notification of XX, section XX, point XX).

Finally, the Company declared that the “first and second level analyses carried out by the multidisciplinary task force also with the aid of the specialized tool and the results regarding the number of data subjects involved in the IT breach as well as the categories of personal data subject to the same breach, the data controller believes that the risk for the rights and freedoms of natural persons is high. Based on the third and fourth level analyses, also with the aid of the Esplores software (…), the task force was able to precisely delimit the perimeter of the breach in terms of quantity of personal data, types of personal data and types and number of data subjects, detecting lower numbers than expected at the beginning of the data breach […]; however, given the exposure on the dark web and the personal information impacted, the data controller believes that the risk to the rights and freedoms of natural persons is high and has proceeded with the information obligations pursuant to art. 34 GDPR to inform data subjects and to provide support to the latter. It has proceeded in two ways”. The data controller has also communicated that it has proceeded to forward, to over 700 employees, on XX “communications pursuant to art. 34 of the GDPR […] as follows:

1) employees affected by the publication of identification documents (identity card, driving license, green pass) […]. This was done in light of the potential identity theft, in order to prevent any illicit activities perpetrated by third parties for the interested parties; the communication advised employees to go to the Judicial Authority to report the incident. Since the number of employees was small, they were also contacted in advance by the members of the task force to anticipate the content of the communication itself. Before activating this process, the Company Management, with the collaboration of the Company DPO and the Company Privacy Representative, organized a meeting with the Workers' Trade Unions to represent the results of the work of the task force regarding the analysis of data from documents published on the dark web, in reference to the positions of some workers involved in the violation for the publication of identification documents, and to represent the measures put in place to mitigate the negative effects of the exfiltration on the interested parties. 2) employees affected by the publication of various documents: on XX, another 700 employees were also reached by communications pursuant to art. 34 to inform them of their involvement in the violation […] all communications were successful. Following the same nr. 20 employees contacted the numbers available to obtain information regarding access to the documents. It should be noted that this company necessarily had to manage and adopt two distinct methods of communication to the interested parties involved in the publication of personal data […], with regard to the remaining number of interested parties who cannot be reached by personal communication […] it was decided to proceed with a generalized communication pursuant to art. 34, letter c) of the GDPR […] by posting specific signs in transit areas and with greater attendance (…). This choice will allow the Company to redirect resources towards a development plan (training and structural) of the Personal Data Protection Company Management System which had been slowed down by the events connected to COVID which have heavily affected all our structures. Furthermore, the same communication was published on the company website (XX) at the following link: XX. The general communication will be kept in evidence for 6 (six) months from the date of diffusion” (see notification of XX, section XX point XX and XX points XX and XX).

During the inspection activities, the Company confirmed “the actions taken to mitigate the negative effects on the interested parties with reference to the communication, pursuant to art. 34 of the Regulation, already reported in the notification of XX and subsequent additions, specifying that very few specific requests were received from the interested parties through the contact channels set up by the Company (RPD mailbox and dedicated toll-free number), despite the information having been made available through signs posted in all hospitals, clinics and places of passage as well as the intense media campaign developed in the period immediately following the incident” and that “the various press releases […] were also prepared [involving the] judicial authority involved in the investigations” (see minutes of XX, page XX and of XX page XX).

3. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code

With regard to the situation described, the Office, on the basis of what was represented by the data controller in the notification of violation and what emerged during the inspection activity, as well as subsequent assessments, notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the initiation of a proceeding for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, inviting the aforementioned data controller to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24/11/1981). In particular, with act no. XX of XX, the Authority considered that the Company had processed the personal data in question in violation of the principle of "integrity and confidentiality", pursuant to art. 5, paragraph 1, letter f), of the Regulation and failing to implement technical and organizational measures to promptly identify a violation, as well as to ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the processing systems and services, in violation of art. 32 of the Regulation.

The Company has submitted its defensive briefs, pursuant to art. 166, paragraph 6, of the Code. In particular, with note of XX, it declared that:

“the Company was established on 1 January 2017 by virtue of the healthcare reform of the Veneto Region which took place with the Regional Law of 25 October 2016 n. 19 (“Regional Law”). As a result of the Regional Law, as subsequently integrated and amended, the former ULSS n. 16 of Padua changed its name to ULSS 6 Euganea, incorporating the abolished ULSS n. 15 Alta Padovana and ULSS n. 17 Este”;

“the Company is currently a large and complex entity, with a catchment area of over 920,000 patients, belonging to 101 municipalities, in a territorial extension of 2,127 km2, with a density of approximately 437 inhabitants/km2, making it the most populated health company and with the highest density in the Veneto Region”;

the Company is organized into 5 social health districts (3 central districts in Padua and 2 districts for upper and lower Padua); by virtue of the aforementioned Regional Law, in the Company, a body of provincial importance, there are 4 spoke hospitals: 2 Hospitals in upper Padua (…), 1 Hospital in the center (…) and 1 Network Hospital in lower Padua (…) as well as a provincial rehabilitation facility”;

“at XX the Company had 7,166 employees including 1,089 doctors and veterinarians, 43 other managers of technical, professional and administrative roles, 3,824 nurses, 1,530 healthcare workers (OSS and OTAA) and 680 administrative staff”;

“the Regional Law also established the Veneto Regional Health Governance Body, called “Azienda Zero”, also outside the perimeter of the Company, to which the Veneto Region assigned the functions relating to the management of technical-specialist activities, including, in art. 2, c. 1, letter g) n. 6 functions relating to “the management of technical-specialist activities for the system and for the bodies of the regional health service such as information technology infrastructures, connectivity, information systems and data flows with a view to homogenization and development of the ICT system”;

“before the reform implemented with the Regional Law, the two companies formerly ULSS15 and formerly ULSS17 each had their own IT system, governed and managed by a Company Complex Operating Unit (UOC) headed, respectively, by an IT Manager; this is because these companies had autonomous legal and organizational personality. The former ULSS16, on the other hand, derived from an organizational model introduced only in the Padua area in 2003, in which the management of the IT structure was governed together with the Padua Hospital Trust by an “Inter-company Structural Department of Information Technology” directed by an IT Manager appointed by mutual agreement by the two companies. This model was subsequently abandoned. At the time of the reform introduced with the Regional Law, the complex and costly procedures for separating the IT systems between the companies in the Padua area were still in place”;

“the Regional Law (…), having assigned to the newly established Azienda Zero many functions supporting the entire healthcare system, including “the acquisition and/or definition of IT infrastructures, connectivity, information systems and data flows with a view to homogenizing and developing the regional ICT system” envisaged that the new companies, even if merged and of considerable size, could have within them, for the management of the IT area, only lower organizational structures, i.e. so-called “Simple” Operating Units (UOS)”;

“since 2017 (…) following the Regional Law, a complex process began which envisaged on the one hand the unification of the information systems of the three former AULSS 15, 16 and 17 (“Unification”) and on the other the continuation of the separation of the information systems previously in place for the former ULSS16 with the Padua Hospital (“Separation”). The Unification and Separation process then slowed down during the pandemic in 2020-2021, as the Company's information systems were engaged in supporting activities intended for the health emergency. The activities carried out by them include: creation of an IT infrastructure for managing gates; support for the logistical reorganizations of departments (semi-intensive and intensive implementation) in line with emergency plans; support for the laboratory analysis process for swabs: IT equipment for collection points, integration of equipment, software adjustments according to regional specifications, redirection of tests to the various laboratories, generation of flows towards Azienda Zero, etc.; transversal support for data extraction and processing; commitment to the creation of vaccine and swab booking systems. The Unification process, aggravated by the pandemic emergency, had a significant impact on the safety reorganization of company networks";

“all technological purchases necessary for the reorganization and strengthening of the infrastructures in safety were and are subject, by virtue of the Regional Law, to the prior authorization of the Regional Commission for Investments in Technology and Construction (CRITE). In this context, the requests for authorization for investments in the IT area for further investments in IT equipment in the year XX (..) and for the two-year period 2021-2022 (…) made by the Company to CRITE, relating to financing for the purchase of infrastructures necessary for the adoption of measures aimed at improving network security, are relevant for the purposes of this defense brief. […] in the request for funding for the two-year period 2021-2022, the Company acknowledged an additional requirement of €5,658,448 for important investments, including “the improvement of risk management also pursuant to AGID measures and the GDPR” and, in particular, for interventions on the “AGID security infrastructure (firewall, IDS probes, log control in accordance with the regulations, vulnerability assessment, penetration test, etc.)””;

“however, CRITE partially responded to these requests only on XX (one year after the first request) […] postponing the coverage of investments of an amount equal to or greater than €200,000.00 to the presentation of the individual projects to the Commission and with the indication to update the Investment Plan, due to the changes that occurred”. With the limited resources available, on XX, the activities of the Corporate Security Program Document (DDG no. XX of XX) were nevertheless started […] which included, among other things, the implementation of MFA VPNs, which were already the subject of the first request for funding for 2020”;

“the Company notified this Guarantor Authority, pursuant to art. 33 of the Regulation, of the violation of personal data on XX, integrating it with subsequent notes on XX and XX, XX and XX, XX and, finally, transmitting the definitive closure on XX. Only on XX, a full 370 days after the closure of the notification, (…) the “Guarantor Authority proceeded” (..) to inspections (lasting three days). (…), the illegitimacy of the duration of the investigation phase that preceded the notification of the Communication must necessarily be noted. As already noted, the Communication was notified on XX, 477 days after the notification of closure of the data breach and 105 days after the end of the inspections conducted by this Guarantor Authority at the Company's premises";

"the sanctioning activity conducted by this Guarantor Authority is also subject to compliance with art.14, second paragraph, of Law no. 689/1981 […]. It is also useful to recall the jurisprudence of the Council of State” regarding the deadline for the notification of the infringement by the Administration (see Council of State, sentence 1330/2015)”;

“the long period of time that has already passed is already longer than the “180 days from the notification of the violation of personal data” provided for by Regulation 2/2019 of this Guarantor Authority for the type “Proceedings relating to the violation of personal data (articles 33 and 34 of the GDPR)” (see table B, part 1). It is therefore believed that the sanctioning procedure initiated with the Communication is born flawed in an incurable way due to the abnormal period of time that has elapsed between the sending of the notification of closure of the data breach and the start of the same”;

on the merits of the matter, "let us challenge the reconstruction made by this Most Illustrious Guarantor Authority as it is based exclusively on the partial information acquired during the inspection activity, during which the person who, at the time of the violation, was the Head of Information Systems of the Company and who, prior to the incident, had dealt with the activities relating to securing the networks was not present, because he had resigned. (...). What was declared in the minutes of the XX on page 3 regarding the VLANs must therefore necessarily be integrated with the declarations, subsequently acquired by the Company of the engineer (...) who, in his capacity as Head of Information Systems, had at the time managed this aspect";

in addition to what was declared during the inspection activities, "despite the difficulties connected to the Unification referred to in the first paragraph, on the date of the incident, states the engineer. (…), with the confirmation also of his then collaborators (…), that “as of the XX, also due to the available funding, the following activities had been completed: - definition of the addressing plan for the entire Company, configuration and segmentation of the new Camposampiero Datacenter; - commissioning of the new AULSS 6 domain. Furthermore, they were in an advanced stage of implementation: the configuration of the various applications on the new domain with simultaneous migration from the old datacenters, updating and insertion into the network in the various defined VLANs”;

“although the partitioning plan on all the subnets of the Company’s offices was not completed, it should be clarified that at the time of the incident there was in any case a separation by VLAN of all the main data communication flows to and from all the datacenters towards the various offices. Furthermore, it is possible to state with reasonable certainty that not even the completion of the segmentation and segregation, which was already underway, could have prevented the incident from occurring, for the reasons indicated below and for the type of incident itself”;

"VLANs are certainly a method for segmenting a broadcast domain into multiple smaller domains. At OSI level 2, each VLAN contains only the traffic of devices belonging to that VLAN. With VLANs, work groups can be created with devices physically located anywhere on a network, which can however communicate as if they were on the same physical segment, as indicated in the diagrams below for clarity. It follows that a user who has administrator credentials for a computer network can access the "management VLANs" that are used to configure and maintain VLANs in complex environments and, therefore, is within his or her powers to connect to them, modify them and ultimately bypass them as a security measure to reduce the impact of an attack such as the one carried out by the two attackers in the incident in question";

“these considerations are also confirmed by XX’s statement, which specifies: “a system administrator, which the attacker had become, on XX, having the ability to make lateral movements between the server and DB systems could access the various VLAN networks, making this security measure less effective in this case””;

“the attacker initially acted with unprivileged user accounts and subsequently with legitimate system administrator accounts, in a relatively short period of time. Due to the nature of the role assumed by the attacker in the last phase, therefore, completing the segregation and segmentation process would not have constituted the additional security measure capable of concretely preventing what happened. Nonetheless, as clarified during the inspection, it is confirmed that the segregation and segmentation process had been largely started as soon as the necessary economic resources were assigned and in any case before the incident and that said process was in any case completed after the incident, in order to minimize the impact of cyber attacks of a different nature than the one that occurred”;

“as for the contested absence of the double authentication factor of VPNs […] with reference to VPNs accessible with non-privileged users (therefore non-administrator), in this case used by the attackers in the period between XX and XX […] it is evident that at the time of the incident the double authentication factor did not even constitute a measure envisaged at the maximum level by AGID in the "Minimum ICT security measures for public administrations. (Directive of the President of the Council of Ministers 1 August 2015)" of April 2017, in force ratione temporis”;

“with reference to VPNs accessible with system administrator users, whose first access occurred only on XX, the aforementioned AGID Security Measures envisage the double authentication factor only for “privileged users and administrative rights”, classifying the relative measure as a “High” level. And, in any case, it is reiterated that the implementation of the double authentication factor was underway to guarantee the maximum levels referred to in the aforementioned security measures of AGID, given that the Company had made a request to CRITE two years before the date of the incident and had only received partial authorization in XX. Following the authorization, the Company had promptly taken action to implement this measure, included in the security program document of XX, which however required implementation times such that they were not in force at the time of the incident. It should be noted that in any case on the date of the incident, although the MFA (Measure 5.6.1) had not yet been implemented, the alternative measure of high password strength for administrative users (Measure 5.7.1) was active, to be used "when multi-factor authentication is not supported" expressly indicated as equivalent by the aforementioned AGID Security Measures (see Annex XX of the defense documents of XX). Furthermore, it is worth noting that after the incident all active VPNs were equipped with MFA";

“what is relevant for the purposes of the timely action of the data controller, who is required to notify the Data Protection Authority of the violation within 72 hours, is the moment from which he had knowledge of the disclosure of or unauthorized or accidental access to the personal data (art. 33 par. 1 of the Regulation). On this point, it is also necessary to recall recital 87 of the Regulation” and the Guidelines on the notification of personal data breaches pursuant to Regulation (EU) 2016/679, adopted on 3 October 2017, Amended version and adopted on 6 February 2018. WP250;

“the “suspicion of a violation” exists only in the presence of elements suitable to presume (i.e. without reasonable certainty), the “unauthorized or accidental disclosure or access to personal data” highlighting that in the aforementioned 2017 Guidelines it was “clarified that in order to promptly identify a violation it is appropriate not to underestimate, but rather to analyze, the suspicions of the same, although the measures to remedy it require that the data controller is actually “aware” of the violation. Consequently, the data controller must “have internal procedures to be able to detect a violation and remedy it. For example, to detect certain irregularities in data processing, the data controller or processor can use certain technical measures such as data flow and log analyzers, from which it is possible to define events and alerts by correlating any log data”;

“in this context, the data controller must adopt technical organizational measures (pursuant to art. 32 of the Regulation) suitable for promptly identifying, treating and reporting a violation. Well, as it results from the reading of the Second Opinion carried out by Yarix (“Second Opinion”), the attackers in the period XX - XX had access to the Company’s systems by exploiting VPNs with unprivileged user accounts […]; the first access to the VPN with system administrator privileges was carried out on XX at 9.25 pm and therefore just a few hours before the actual knowledge of the violation materialized. The Company, at the time of knowledge of the incident (XX), had technical and organizational measures suitable for promptly identifying, treating and reporting a security violation of the network perimeter through unauthorized or forced VPN accesses. These measures, however, could not allow the accesses carried out before the violation occurred to be assessed as symptomatic of a violation, as they were carried out using valid access credentials (…); only after the violation occurred on XX was it possible to reconstruct that the accesses in question were in fact carried out by individuals who had abusively come into possession of those valid credentials”;

“the measures adopted by the Company for the timely identification of the violation consisted, in addition to what was previously declared in the documents, also in the activities entrusted to the company XX, by virtue of the Consip Agreement “Management and Maintenance Service of IP Systems and Workstations” (SGM).In particular, XX […] had to independently carry out a series of activities aimed at managing security devices […]; the activities covered by the Consip Agreement and entrusted to XX are in line with the indications of the Working Group regarding the timely identification of a violation, including “For example, to detect certain irregularities in data processing, the data controller or data processor may use certain technical measures such as data flow and log analyzers, from which it is possible to define events and alerts by correlating any log data”. In this regard, it is worth noting that XX declared to the Company that it had carried out the aforementioned contractually required activities and in particular: “a) 24-hour monitoring service, intervention and proactive analysis also for IT security issues carried out through the systems used to manage and maintain the Administration’s equipment, in particular for firewall, router/switch and server equipment; b) periodic analysis of logs to search for anomalous events (access attempts, anomalous traffic, viral attacks, policy violations, etc. and any potentially harmful event). Having said this, it is reiterated that the monitoring systems in use were configured to alert in the event of operating anomalies of the devices covered by the agreement, i.e. interruption of their functionality and/or degradation of performance (point a.), while the policies used to search for anomalous events (point b.) included warnings for XX;

“in this case, the attacker initially acted with unprivileged user accounts and subsequently with legitimate system administrator accounts, in a relatively short period of time, with limited access attempts (no brute force), from countries not present in the black list and without causing operating anomalies to the devices under monitoring (no denial of service was detected in the period prior to XX). This situation would probably not have been detected even by advanced SOCs that had not been equipped with machine learning systems and Artificial Intelligence algorithms capable of detecting in real time significant deviations from the “normal” behavior of each user, device and/or subnet of the organization (…); only after further investigation, on XX, the Yarix Company, to which the Company commissioned the Second Opinion, was able to consider the previous accesses starting from XX as activities connected to the incident”;

“taking into account the modalities of the incident and the activities carried out to prevent and identify it, as well as the historical-technological period different from today (the incident occurred at the end of the year XX), the Company cannot be blamed for the lack of suitable measures for the timely identification of the incident”;

“among the parameters that the data controllers are required to take into consideration in identifying the suitable security measures for the specific processing, the following are relevant, pursuant to art. 32 of the Regulation, the “state of the art” and the “implementation costs”. With respect to the “state of the art”, it must be considered that the standard defined by the AGID Security Measures of 2017 constituted for a public administration such as the Company an undoubted reference parameter useful for evaluating, with the knowledge at the time, the adequacy of the security measures in place at the time of the violation. Moreover, it is not clarified in the notice of contestation, what additional security measures the Company should have adopted in order to prevent the incident that occurred. Even the possible availability of additional “firewall logs”, as noted in the Communication, would not have allowed the violation to be detected earlier, or at most to try to trace the identity of the attackers, an activity that is in any case irrelevant for this Most Illustrious Guarantor Authority”;

“on the contrary, as has been demonstrated, even in the presence of a control room that monitored the data flows, it would not have been possible to identify the violation earlier. In fact, the attack occurred using the credentials of a user without privileges and, moreover, not accessing from countries in the so-called black list. Probably, such a structured attack would be identified first only by a modern control room capable of processing data also through artificial intelligence application tools. But, it is reiterated, for the purposes of this proceeding, the "state of the art" of 2021 must be taken into consideration. To what has been said, it must necessarily be added that the assessments on the "implementation costs" are outside the sphere of competence of the Company and that, by virtue of the Regional Law, they are the exclusive competence of CRITE. In fact, the Company had repeatedly requested to implement additional security measures, but CRITE had not endorsed these requests [...] by not allocating more funds (...)";

“on the violation of the principle of integrity and confidentiality, the reconstruction carried out is contested in its entirety, since the Company was in line with the AGID Security Measures at the time of the incident and it has not been proven that further, but not better specified, security measures would have prevented the violation that occurred or would have allowed the Company to notice it beforehand. Furthermore, the Company was not materially able to implement technical measures different from those previously approved by CRITE, under penalty of incurring treasury violations (and even criminal ones)”;

“the number of interested parties involved is equal to 9,520 (of which 8,535 affected by a violation of health data and 985 affected by a violation of personal, contact, access and identification data), out of a total of more than 920,000 patients belonging to the Company. However, […]  from the re-examination of the documents subject to exfiltration, it emerged that the actual number of interested parties, to whom the health data refers, is substantially lower, due to bias attributable to the artificial intelligence software used. It is confirmed that the personal data exfiltrated and published under examination refer to documents present on PCs and not on company servers, in contempt of the company policies already in existence on file”;

“the Company was the victim of a hacker attack on its information systems carried out by two distinct threat actors – XX and XX – who acted almost simultaneously. The Company was equipped with adequate technical and organizational security measures for the historical-technological period in which the violation occurred (XX), circumstances that exclude the existence of any form of fault on the part of the Company, even in the mildest and most possible form. At most, it is believed that the Company can be attributed to an error in good faith, having operated in compliance with the sector regulations in force at the time and having only subsequently acquired awareness that it was necessary to integrate said measures, as had already been planned";

"at the time of the incident" all the security measures identified by AGID were "operational within the Company and (...) the same (...)" had "proactively taken action to make further improvements, although not required by the sector regulations in force at the time of the facts" (...), the error, if there was one, was blameless, as it was not susceptible to being prevented by the Company, despite the (extra)ordinary diligence shown in seeking to implement increasingly advanced security measures", highlighting the "extraordinary effort made by the Company to mitigate the effects of the violation for the interested parties. After the incident, the Company immediately proceeded to complete the Segmentation and Segregation process, as well as to provide two-factor authentication for all users. Furthermore, it implemented all the technical and organizational measures specified in the notification supplements and its attachments and also recorded during the inspection activities and also indicated in the Communication”;

“the Company, with the support of the Italian Academy of the Internet Code (IAIC), provided between XX and XX employees with a training and refresher course, tailored to the specific activities of the various employee categories (for IT employees equal to 80 hours), in which top-level and highly professional teachers were involved. A further training course is being planned with the same body”;

“the Company has actively cooperated with the Guarantor Authority since the preliminary notification carried out promptly and in the subsequent supplements, as well as during the inspection activity” and “has also collaborated with the judicial authorities and the postal police and carried out the communications pursuant to art. 34 of the Regulation (…)”.

During the requested hearing, which was held on XX, the Company, in addition to substantially reiterating what had already been highlighted in the briefs, represented that:

- “with regard to the segmentation of the networks, also in light of the statements made by the engineers, attached to the briefs, it is highlighted that the segmentation process, at the time of the accident, was in an advanced state of implementation; the delay, in this regard, was attributable to the unification and spin-off processes of the Companies belonging to the current owner; in any case, the segmentation of the networks would not have prevented the lateral movements of administrative and non-administrative users, for the reasons also highlighted by the supplier XX in doc. 5, attached to the briefs; in particular, the aforementioned movements could have been identified only with very sophisticated SOCs, equipped with machine learning and AI systems, not widespread in XX, at the time of the accident”;

- “with reference to the MFA VPNs, the “Minimum measures envisaged for public administrations” of Agid had been adopted in point 5.7.1.at the advanced implementation level of password strength for administrative users, to be used when multi-factor authentication is not supported as an equivalent measure; nevertheless, the implementation of the double authentication factor had been planned and started, because, since XX, the authorization for the purchase and the related financing had been requested from CRITE, approved by the latter only partially in XX; in XX, therefore, the Company had presented the security program document that provided for the MFA, which started the authorized investments; therefore, in XX all the preparatory activity for the full implementation of this measure had been started, completed shortly after the incident for all types of users";

- "even though there was no control room, which was not provided by AGID as a security measure, the type of incident could not have been detected, if not with sophisticated AI systems";

- "the violation did not affect the integrity of the data, but only the availability and confidentiality";

- “attention is drawn to the high level of collaboration with the Authority demonstrated by the Company, at every stage of the procedure, and to the proactivity demonstrated by the same, which also provided training to staff on security and privacy (it should be noted, in this regard, that the course with the support of IAIC took place not in XX, but in XX) and reorganized roles to ensure more widespread and capillary control within the enormous structure”;

- “the measures implemented immediately after the incident (cyber and technical and organizational) have led, to date, to a substantial reduction of the original gross risk of 12.4 to a residual risk of 5.58; the risk assessment was carried out on the basis of the ENISA (Handbook on Security of Personal Data Processing), ISO 27005 and ISO 29134 documents; this, in light of the considerable economic and organizational commitment made by the Company”;

- “despite the important press campaign, the Company has so far received only 29 requests for clarification regarding the possible involvement in the information attack and no requests for compensation”.

4. Outcome of the investigation

Having taken note of what was represented by the Company during the proceedings, it is noted that:

“health data” means “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her state of health” (Article 4, paragraph 1, no. 15 of the Regulation);

Recital no. 35 of the Regulation specifies that health data “includes information about the natural person collected in the course of his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify him or her for health purposes”;

personal data must be “processed in a manner that ensures appropriate security […] including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures” (principle of “integrity and confidentiality”, art. 5, par. 1, letter f), of the Regulation);

art. 32 of the Regulation establishes that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk […]” (par. 1) and that “when assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (par. 2);

the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023 - which update the previous “Guidelines on the notification of personal data breaches under Regulation (EU) 2016/679” (lastly adopted on 6 February 2018 by the Article 29 Working Party and adopted by the European Data Protection Board on 25 May 2018, WP250 rev. 01) exclusively to clarify the notification requirements for controllers not established in the EU - specify that “the ability to promptly identify, address and report a breach must be considered an essential aspect” of the technical and organizational measures that the controller and processor must implement, pursuant to art. 32 of the Regulation, to ensure an adequate level of security of personal data;

recital no. 87, specifies that "it is appropriate to verify whether all appropriate technological and organizational protection measures have been implemented to immediately establish whether there has been a breach of personal data and to promptly inform the supervisory authority and the data subject".

5. Assessments of the Guarantor and conclusions.

In light of the above, it is noted that the processing carried out in the context in question requires the adoption of the highest security standards in order not to compromise the confidentiality, integrity and availability of the personal data of a very significant number of data subjects. This, also taking into account the purposes of the processing and the nature of the personal data processed, including those belonging to special categories. On this basis, the security obligations imposed by the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, lett. from a) to d), all those necessary to mitigate the risks that the processing presents.

First of all, in representing that the terms indicated in table 2, attached to "Regulation no. 2/2019, concerning the identification of the terms and organizational units responsible for administrative procedures at the Guarantor”, approved with resolution no. 99 of 4 April 2019, published in the Official Journal no. 107 of 9 May 2019 and in www.gpdp.it, web doc. no. 9107640, concern the aspects relating to the obligations referred to in Articles 33 and 34 of the Regulation, it is highlighted in any case that, in the event that inspection activities are necessary for the handling of the matter, the running of the terms is suspended until the conclusion of the same (Article 6, paragraph 2, of the aforementioned Regulation). It should also be noted, with specific reference to the contested lateness of the initiation of the procedure by the Authority, contrary to what was asserted by the Company, the Office notified the same on XX, within the terms of the law (120 days from the ascertainment of the violation), given that the acquisition of all the information relevant for the purposes of a complete assessment of the conformity of the treatments in question with particular reference to the security profiles, was completed only following the outcome of the inspection activity, concluded on 8 XX and with the acquisition of the last elements, provided by the Company, with a note of XX to resolve the reservations of the inspection.

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”, the elements provided by the data controller in the defense statement mentioned above and during the hearing, although certainly worthy of consideration, do not allow to completely overcome the findings notified by the Office with the aforementioned act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply.

From the examination of the information and elements acquired as well as the documentation provided by the Company, it emerged that the processing was carried out in violation of art. 5, par. 1, letter f), and 32 of the Regulation, in relation to the following profiles:

5.1. Failure to adopt adequate measures to promptly detect the violation of personal data

During the investigation, it emerged that “XX 22:02:12 First access from XX made by IP 193.178.169.22 (associated with attackers belonging to XX) using the XX user” and that the malicious individuals carried out a series of operations preparatory to the cyber attack. The analyses carried out by the company YARIX did not allow “to trace the methods used by the attackers to compromise the privileged accounts due to the deletion of the logs” and “with reference to the firewall logs (traffic and/or VPN), the limited local retention and the absence of useful extractions (regarding some of them) to be performed close to the event, so as to avoid the rotation of the logs themselves, did not allow the identification of further evidence (VPN accesses or traffic to anomalous IPs)” (see YARIX report). The Company also stated that "there was a system monitoring system but not a control room".

These elements did not allow the data controller to promptly identify the personal data breach that occurred.

In this regard, it is specified that the arguments formulated by the Company in the briefs regarding the identification of the moment in which the data controller can be considered aware of the breach and, therefore, from which he is required to notify the Supervisory Authority, pursuant to art. 33 of the Regulation are not relevant in relation to what is contested in the aforementioned notification act of XX; in fact, the aforementioned aspect was not the subject of observations by the Authority which did not identify, with respect to the Company, an omission or delay in the aforementioned notification of breach, pursuant to art. 33 of the Regulation. What did emerge instead was the inadequacy of the measures adopted to promptly detect the violation of personal data based on anomalous behavior, detectable from VPN accesses to the company network (such as, for example, the time and frequency of accesses, generally at night, their origin from IP addresses of foreign countries, which should, in any case, have been subject to verification) and from operations carried out with domain accounts with or without administrative privileges (such as, for example, the deactivation of antivirus software on some systems).

Failure to adopt adequate measures to promptly detect personal data breaches does not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, taking into account the provisions of Guidelines no. 9/2022 (and the previous Guidelines on the notification of personal data breaches pursuant to Regulation (EU) 2016/679, adopted on 3 October 2017, Amended version and adopted on 6 February 2018. WP250), requires that the controller and the processor must implement measures to “identify […] a breach promptly”.

5.2.2. Failure to adopt adequate measures to guarantee network security

During the investigation, it emerged that the Company had not adopted adequate measures to segment and segregate the networks on which the workstations of its employees were located, as well as the systems (servers) used for processing. In fact, as also highlighted by the Company during the inspection activities, "the servers of the ASL ex 16 and ex 17 were located on a dedicated VLAN different from the one where the workstations were located and a new environment was being prepared starting from the 3 Data Centers of the 3 ASL". In relation to this aspect, the Company, following the incident, deemed it necessary to implement "an environment with multiple isolated VLANs and firewall rules".

In this regard, within the scope of the analysis activities of the company YARIX, in relation to the violation of personal data in question, it was noted that "this type of threat is countered by implementing the so-called defense-in-depth, or the activation of various security measures on various layers of the infrastructure that separate the attacker from administrative access to the entire network. Based on Yarix's experience in technological and organizational IT security, an activity plan may be analyzed to be implemented on the basis of agreed priorities, taking into account the peculiarities of the healthcare sector in which many IT systems are certified by the manufacturer and cannot be modified without losing the guarantee of correct functioning" (see attachment section, XX to the notification of XX).

In this regard, it is highlighted that the circumstance that, at the time of the incident, the Company had started some interventions to strengthen the security of the networks, not yet completed due to the processes of unification and spin-off of the Companies belonging to the current owner, although worthy of consideration in the assessments regarding the existence or otherwise of the violation of the principle of data protection by design and data protection by default, pursuant to art. 25 of the Regulation, cannot be considered for the purpose of deeming the violation of art. 32 of the Regulation non-existent. The creation of VLANs - being a preparatory measure for an effective segregation and segmentation of the networks on which the workstations are located with respect to those where the server systems are located - must be accompanied by additional measures such as, for example, adequate filtering rules on the firewall systems.

Furthermore, at the time the personal data breach occurred, remote access, via VPN, to the Company's network, occurred through a computer authentication procedure based only on the use of username and password. In relation to this aspect, the Company specified that "on XX a "Programmatic Document on Security" had been approved to strengthen security measures and adapt them to the minimum AgID measures [...] this document included, among other things, the measure of two-factor authentication for VPN access" (see notification of XX, section XX, point XX and minutes of XX, page XX).

On this point, it should be noted that the fact that the double authentication factor constituted - as claimed by the Company in its defense briefs - a measure indicated by the Agid guidelines, containing: "Minimum ICT security measures for public administrations" (Directive of the President of the Council of Ministers 1 August 2015), only for "privileged users and administrative rights", does not exempt, in general, the data controller from the obligation to carry out an assessment, in concrete terms, on the appropriateness of the measures adopted to guarantee the security of the processing, taking into account the context in which one operates. In particular, the adoption of the measures indicated in the aforementioned guidelines - indicating, moreover, the "minimum security measures for the Italian public administration, keeping in mind the enormous differences in size, mandate, types of information managed, exposure to risk, and anything else that characterizes the over twenty thousand public administrations" - does not guarantee, in itself, compliance with the obligations regarding the security of the processing. The aforementioned guidelines, in fact, have the purpose of "indicating to public administrations the minimum ICT security measures that must be adopted in order to counter the most common and frequent threats to which their information systems are subject", starting "from the set of controls known as SANS 20 [...] in version 6.0 of October 2015", and "ensuring the minimum level of protection in most situations [...] keeping in mind the enormous differences in size, mandate, types of information managed, exposure to risk, and anything else that characterizes the over twenty thousand public administrations", recommending that "each administration [...] identify [within itself] any subsets, technical and/or organizational, characterized by homogeneity of security requirements and objectives, within which [...] to apply in a homogeneous manner the measures suitable for achieving the objectives themselves". Specifically, the Guidelines, having been issued on the basis of the state of the art, technical knowledge and cyber threats present in 2015, could not take into account the worsening of cyber risk in recent years also due to the spread and adoption, during the COVID-19 pandemic, of technological methods and tools to allow the performance of activities (work and otherwise) remotely. This change of scenario, also given the significant increase in attacks by cybercriminals, would have required, at the end of the twentieth century, a renewed assessment that weighed the new and much more serious risks associated with the processing for the rights and freedoms of the interested parties in relation to the adequacy of the measures adopted. The aforementioned assessment, not being able to be crystallized and, therefore, concluded at the time the processing was designed, should have been continuously carried out over time, also in light of technological development; this, also in order to develop an awareness regarding the need to mitigate the risks arising from violations of personal data, also considering that the Company used two VPNs, from different suppliers, which both constituted the access point for malicious actors.

The alleged compliance with the measures indicated in the aforementioned Agid Guidelines, therefore, does not exhaust the obligation of the data controller to adopt adequate measures based on his own risk assessment. In fact, the Regulation, in compliance with the principle of accountability, delegates to the data controller the task of identifying and adopting technical and organizational measures suitable for guaranteeing a level of security adequate to the risks presented by the processing, which, in this case, were high due to the nature of the data processed, the large scale of the data subjects, including vulnerable ones, involved, as well as, in the event of a violation, the possible negative consequences for the data subjects with particular reference to the compromise of the confidentiality of the health data relating to them.

The failure to implement, at the time of the violation, adequate measures to guarantee the security of the networks does not fully comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, requires that the data controller and the data processor must implement measures to "ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the processing systems and services" (letter b)).

6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (arts. 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). 

The violation of art. 5, par. 1, letter f) and 32 of the Regulation, caused by the conduct carried out by the Company, is subject to the application of the administrative pecuniary sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

It should be noted that the Guarantor, pursuant to Articles 58, par. 2, letter i) and 83 of the Regulation, as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In light of the above and, in particular, of the category of personal data affected by the breach, the number of data subjects involved and the unintentional nature of the breach, as the episode appears to have been caused by malicious conduct by third parties, of which the postal police was formally informed, it is believed that the level of severity of the breach committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

That said, having assessed certain elements as a whole and, in particular, that:

- the Guarantor has become aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation and from some requests received by the Guarantor on the incident (art. 83, par. 2, letter h), of the Regulation);

- the Company has taken charge of the problem by introducing a diversified series of measures, some already planned, aimed not only at mitigating the damage suffered by the interested parties but also at reducing the repeatability of the event that occurred (art. 83, par. 2, letters c) and f) of the Regulation);

- the Company has already been the recipient of a sanctioning provision in relation to relevant violations (provision XX, no. XXX, web doc. no. 9899929) (art. 83, par. 2, letter e), of the Regulation);

- the owner has cooperated with the Authority well beyond the obligation provided for by art. 31 of the Regulation at every stage of the investigation, including the inspection, in order to remedy the violation and mitigate its possible negative effects (art. 83, par. 2, letter f), of the Regulation);

it is deemed appropriate to determine the amount of the pecuniary sanction provided for by art. 83, par. 5 of the Regulation, in the amount of € 22,000.00 (twenty-two thousand) for the violation of arts. 5 and 32 of the same Regulation, as an administrative pecuniary sanction deemed, pursuant to art. 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

it is also deemed necessary to apply the accessory sanction of the publication of this provision on the website of the Guarantor, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Azienda ULSS n. 6 Euganea, for the violation of the basic principles of processing set out in art. 5, par. 1, letter f) and of the obligations set out in art. 32 of the Regulation, in the terms set out in the reasons;

ORDERS

to the Azienda ULSS n. 6 Euganea, with registered office in Padua, Via Enrico degli Scrovegni, n. 14 – 35131 - C.F./Partita IVA 00349050286, to pay the sum of Euro 22,000.00 (twenty-two thousand/00) as an administrative pecuniary sanction, pursuant to articles 58, par. 2, letter i) and 83 of the Regulation, for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed;

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €22,000.00 (twenty-two thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981;

ORDERS

the publication of this provision in full on the website of the Guarantor, pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions for annotation in the internal register of the Authority pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei

 

[web doc. no. 10057610]

Provision of 17 July 2024

Register of provisions
no. 444 of 17 July 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN TODAY’S MEETING, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the councilor Fabio Mattei, general secretary;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter the “Regulation”);

SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code”, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

SEEN Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. The breach of personal data and complaints

On XX, the ULSS 6 Euganea Company, hereinafter “Company” sent to the Authority, pursuant to art. 33 of the Regulation, a notification of breach of personal data - subsequently integrated with notes dated XX and XX, XX and XX, XX and XX - regarding a cyber attack, determined by a ransomware-type malware (XX), on the information systems of the same.

Given the high number of data subjects involved and the nature of the personal data subject to the violation, it was deemed necessary to investigate the circumstances in which the aforementioned personal data violation occurred, as well as the security measures adopted, through an inspection activity against the Company in the month of XX.

In relation to the same matter, between XX and XX, some requests were received from citizens who, informed of the event that had occurred, contacted the Authority.

2. The violation of personal data

2.1. The fact

The circumstances relating to the violation of personal data were represented by the Company both in the notification to the Authority, carried out, in phases, pursuant to art. 33 of the Regulation, and during the aforementioned inspection activity. In particular, the following emerged.

2.1.1. Notification of the breach to the Guarantor

With the preliminary notification of XX, the Company declared that it was the victim of a “hacker attack detected by the company information systems at 3:00 a.m. on XX which prevents access and availability to some company applications (infrastructure, hospital, administrative, territorial) whose precise identification and impact are being defined”, specifying that “an initial analysis highlights the involvement of the server farm of the peripheral ULSS 6 Euganea office in Via Marconi […] Monselice (PD) and of the Camposampiero Hospital (PD)” (see, notification of XX, section XX).

Subsequently, with a note of XX, the Company updated the information regarding the breach by providing a copy of the Incident Report of the Company XX S.p.A. from which it is clear that “the attacker accessed the internal network via XX […]. There are also accesses via the Fortinet VPN, but there is no useful information on the Fortinet logs […] XX server identified by the name "XX", on which the malicious program "locker_ce066f3fade586a6_ESXI_Linux" performed encryption operations on the virtual machines and added the "lockbit" extension to the names of these files […] through the use of domain admin accounts, the attacker used the PSEXEC tool to distribute, on the identified systems, the encryption tool (xxx). This tool deactivates various security and backup systems and then performs file encryption. […] The attacker also accessed the VmWare systems; in this case, the root user was used directly and an ad hoc program (locker_ce066f3fade586a6_XX Linux) was used, distributed by the XX group on XX on dark web channels. The tool suspended the various VMs and performed the encryption of the datastores […] the attacker distributed an ad hoc executable (sender.exe) that has the task of collecting the files (".doc, .docx, .xls, .xlsx, .xlsm, .pdf, .msg, .ppt, .pptx, .sda, .sdm, .sdw, .csv, .zip, .json, .config, .ts, .cs, .sqlite, .aspx, .pst, .rdp, .accdb") that fall into the following conditions: those modified in the last 6 months, those older than a year, but modified in the last 6 years. Once collected, these files are sent to an external IP (104.248.142[.]137) via SFTP and WebDav” (see notification of XX,XX).

In addition to what was previously notified, on XX, the Company further updated, based on the “2nd OPINION REPORT - AULSS 6 Euganea IT Incident - v.1.1 of XX” prepared by Yarix s.r.l., the information about the violation reporting that “the analysis carried out, although influenced by the lack of some useful elements, allowed us to identify in the attack suffered […] the work, almost contemporary, of two different TA (Threat Actor): in the attacked systems, in fact, traces of two different ransomware gangs, XX and XX, were found. […] the first activities attributable to potential unauthorized access to the infrastructure […] were traced back to XX, the day on which, from the elements available, the first access was made from one of the IP addresses associated with the attackers. Starting from XX (…) further activities associated with the attackers were detected that led to the actual encryption of the data that occurred on the night of XX. In this regard, the attack detected is very singular […] because (…), the two TAs operated in an almost overlapping timeline, but accessed the systems from two different entry points (VPN on Fortigate device for XX and VPN on XX device for XX) and performed encryption on different portions of the infrastructure (XX). The checks on the actual exfiltration, unfortunately marred by the absence of useful data (logs) in some of the systems analyzed, did not allow us to determine with absolute certainty whether this occurred, even if the intelligence information detected by the Cyber Threat Intelligence team allowed us to ascertain that XX has, if nothing else, a list of files compatible with what is present in the AULSS 6 Euganea systems”. It was also stated that "this short list, which lists the potential exfiltration of approximately 17,000 documents containing personal and non-personal data, is currently being constantly examined by the Information Systems of AULSS 6, in order to confirm the actual correspondence of the files in the possession of the TA with those of the company and to be able to subsequently provide any precise communication to the interested parties, also providing tools to support their rights and freedoms. A detailed analysis of these potentially exfiltrated documents was started by a multidisciplinary task force, appointed by the Company Management and specifically trained [...]". The Company, "having examined the second opinion report of Yarix, and assessed the list of unexamined artefacts, intervened with the contractors involved in the services connected to the security of the company's infrastructure perimeter (services attributable to the supplier XX spa) and made seven machines available to Yarix s.r.l. for the purposes of completing the analysis activities. Below are the Cyber Threat Intelligence findings as per the Yarix s.r.l. report of XX, an integral part of the above-mentioned report: «During the Cyber Intelligence activities, the Yarix Cyber Threat Intelligence team (YCTI) identified, through the undercover profiles of its analysts, the compromise of three hosts with access to the following internal portals belonging to the AULSS6 perimeter: from the first analyses conducted on the identified data, it is clear that the information was collected by three info-stealer instances of the Redline family active on the machines for a certain period. The transmission of the information to the C&C occurred respectively on the following dates: Host 1: XX: XX: XX. The date of transmission of the information by the malware does not demonstrate that the credentials are still valid or that they were used on that specific date: it is possible, for example, that the malware collected and sent to the C2 server all the credentials saved in the browser up to that moment. Host 1 contains one of the credentials identified during the analysis of the XX incident as a VPN entry point for XX (user XX), and it is therefore plausible to assume that the same was the object of purchase and sale for the purposes of the attack itself" (see notification of XX, XX).

As a further integration regarding the publication of the data by the XX group, the XX Company intended to attach the "Cyber Intelligence Report" of XX and the "2nd OPINION REPORT - AULSS 6 Euganea IT Incident - rev. XX" prepared by Yarix s.r.l. (see notification of XX, section XX).

Finally, with a note dated XX, the Company highlighted what was present in the “2nd OPINION REPORT - AULSS 6 Euganea IT Incident - rev 1.3 of XX” prepared by Yarix s.r.l., in the part where it was reported that “on date XX, following some further details provided during the analysis […], a FortiAnalyzer (FAZVM64) LOG collection system was identified and acquired at the Padova Colli headquarters, which was in production during the incident […]; the analyses allowed the presence of traffic to be detected towards the exfiltration IP from the FW-SCRO14-DC firewall. Specifically, in the time frame between 00:52:10 and 02:12:28 on day XX, outgoing traffic was detected from 18 clients belonging to the ULSS17 domain […]; traffic analysis allowed to detect a data transfer of approximately 700 MB” (see notification of XX, XX).

2.1.2. Inspection activities

During the inspection activities, the Company, in confirming “the analysis carried out by YARIX with particular reference to the timeline of the document “2nd opinion report - AULSS 6 Euganea IT incident” version 1.3 - XX”, specified that “the first accesses of the malicious actor, via VPN, date back to the month of XX, following which the threat actor XX then proceeded with the typical actions of a cyber kill chain”; that “on XX at 2:37 the help desk, following the receipt of a report of malfunction of the ticketing system, activated the on-call system support of the infrastructure management provider. Subsequently, the XX company of the XX group, specialized in IT security, was involved” and that “the ULSS, not having systems engineers among its employees, requested a second opinion on the security incident from the YARIX company, a leader in the sector, due to its position of third party and absence of conflict of interest” (see minutes of XX, page XX).

With regard to the extent of the violation with reference to the company’s healthcare and administrative-accounting applications, the Company declared that “the administrative-accounting applications were not involved and the virtualization console of the healthcare applications as well as part of the workstations were encrypted. Despite the complexity of the Company’s technological infrastructure, composed of numerous and different physical and virtual devices, biomedical area equipment, examination equipment for the various hospital specialist areas, it was possible to restore company operations in a short time. This was done with a service continuity plan, a continuous evaluation of the priorities and the progress of the activities carried out by the various work groups and crisis units, and with the involvement of all available human resources”. The owner also wanted to clarify that “[the published data] were not extracted from the databases but came from the workstations of employees who had saved personal documents or work lists (e.g. hospitalizations, discharges) or patient records locally, sometimes in draft or incomplete and not catalogued, contrary to the instructions […] which exclusively provided for the use of “shared folders” or dedicated systems”; that “the institutional website of the Company has always been functional” and that “the provision of services to users and the administration of healthcare services have not suffered any interruption since the procedures envisaged in the event of a disaster were adopted. In any case, following the restoration of the technological infrastructure, all data relating to the activities carried out in emergency mode were transferred” (see minutes of XX, pages XX and XX).

With regard to the number of data subjects whose health data were affected by the attack, the Company stated that “the task force was able to precisely delimit the perimeter of the breach in terms of quantity of personal data, types of personal data and types and number of data subjects, detecting lower numbers than expected at the beginning of the data breach (no. of data subjects 9,520, instead of 23,886 – no. of files 5763 instead of 32,555)” (see notification of XX, section XX).

Finally, the Company provided an integration to the technical report of the XX task force attached to the notification of XX, declaring that the number of data subjects involved “is substantially lower” (see note of XX to resolve the reservations of the XX inspection, annex XX).

2.2. Measures in place at the time of the breach

2.2.1. Notification of the violation to the Guarantor

With reference to the measures in place at the time of the violation, the Company declared:

-  that “the AULSS6 derives from the unification of three former ULSS each with its own different information system, the most significant action was the consolidation, unification and securing of a single new domain AULSS6 Euganea and progressive cessation of the old domains and non-unified systems; perimeter security is guaranteed by the use of IPS, antivirus, web filtering, certification inspection on dedicated systems. Only defined and authorized software is installed on the workstations in the AULSS6 Domain and access with Local Admin is not permitted. The methods of use of the PDL and more generally of the IT tools” are defined “by company regulations. The preparation of the machines (servers and pdl) occurs through standard templates archived offline and accessible only to the interested personnel.Access to the servers is only possible with administrative users and to the PDLs only with prior authorization. Administrative users have XX (XX) passwords. The XX system is active for both client and server control and monitoring of workstations, while the XX system is used for the inventory part; the Log management system (XX managed by a specialized company) is already active on the most relevant systems. With regard to security copies, full and incremental daily backup is active on all physical, virtual and database systems: this has in fact allowed for rapid and safe recovery. With regard to vulnerability assessment, a service is active with a specialized company, performed at least monthly and consequent corrective actions reported to the main players in order to intervene to overcome the reported vulnerabilities. For all new workstations that support the functionality, the anti-malware scanning function of removable media has been activated as well as the filtering of email messages and web traffic using the regional Google Cloud services. In particular, backup copies are managed with the following systems: XX with the related backup policies (incremental daily, synthetic weekly) for the Database part XX the Backup takes place on the XX platform (Full daily Backup and hourly archive log). With Resolution no. 709 of XX, the Security Program Document was adopted which reports an intense improvement plan aimed at increasing the average and maximum security measures with particular reference to the AgID circular 2/2017 and the FNSI, including a training plan in agreement with the DPO for all information systems personnel";

- to have "undertaken, starting from 2018, targeted training courses, addressed to Management and dependent staff, aimed at increasing and strengthening the knowledge and diligent conduct to be implemented in the field of privacy, data protection and information security. This is due to both the advent of the EU legislation referred to in the GDPR, and in light of the reorganization of the Regional Health System, referred to in regional law no. 19/2016 and effective from 1 January 2017, which provided for the unification of the health companies AULSS 15, 16 and 17 in AULSS 6 Euganea and led to the launch of a new corporate information system and personal data management, as well as the definition of a new corporate privacy system”;

- which “has implemented and keeps updated all the organizational measures referred to in the GDPR regarding the appointment of authorized persons pursuant to art. 29 GDPR and 2-quaterdecies CP, as data controller pursuant to art. 28 GDPR and in relation to the designation of the DPO, as well as through the preparation of data breach and risk assessment procedures, applied during the accident in question” (see notification of XX, section XX, point XX).

2.2.2. Inspection Activities

With regard to the computer authentication procedures used in the context of VPN access and to the workstations in place at the time of the violation and the password policies envisaged for the different types of users, the Company, during the inspection activities, declared that:

− “at the time of the personal data violation, multi-factor computer authentication procedures were not envisaged for access to the network and systems managed by the Company via VPN”;

− “the ULSS had prepared a regulation for remote access […] and that on XX a “Programmatic Document on Security” had been approved to enhance security measures and adapt them to the minimum AgID measures […] this document envisaged, among other things, the measure of two-factor authentication for VPN access”;

− “non-privileged users are registered in the Identity Management (IM) platform (XX) of the supplier XX and then in the Active Directory, the credentials are made up of XX. Personnel performing administrative functions have two users, one non-privileged and one with administrative privileges (XX) and connect to the systems via RDP or SSH”;

− “non-administrative users have the following password policy: XX. Compliance with the policy is ensured by the IM platform controls. Privileged users have a password policy of XX with the same rules”;

− “following the unification, the ULSS had undertaken a process of normalization of the infrastructures (over XX servers), workstations (approximately XX), domains and policies which however was interrupted due to the pandemic”;

− “the former ASL 15 and 17 were equipped with obsolete infrastructures”;

− “the old firewalls of the former ASL and the old VPNs were still present, to ensure operational continuity, usually updated by technicians, except in specific cases and motivated by the same” (see minutes of XX, pages XX, XX and XX).

In this regard, the Company then confirmed that "the XX, at the time of the attack, the password management logics of accounts with elevated privileges implemented on the XX domain responded, in accordance with AGID best practices, to the security posture rules reported below: XX" (see note of the XX to resolve the reservations of the inspection of the XX, see, in particular, attachment no. XX and also XX and XX).

With reference to the security measures, in place at the time of the personal data breach, relating to the segmentation of the networks, the Company declared that "the servers of the ASL ex 16 and ex 17 were certified on a dedicated VLAN and different from the one where the workstations were certified and a new environment was being prepared starting from the 3 Data Centers of the 3 ASL" (see minutes of the XX, page XX).

With regard to the technical and organizational measures adopted to ensure the availability and resilience of the processing systems and services, as well as the timely restoration of the availability and access to personal data in the event of an incident, the Company declared that:

− “a system monitoring system was present but not a control room”;

− “the SGM service for the management, maintenance and management of equipment did not include automated analysis and monitoring tools for security events”;

− “the weekly sending of the XX VPN logs to the XX mailbox was not active because, during the activities resulting from the unification and consolidation of the systems of the 3 ASL, a reconfiguration of the email communications of the equipment to a single collection point was in progress and, therefore, it is assumed that the aforementioned log was involved in this migration phase”;

− “it had been using the XX backup system since XX” (see minutes of XX, pages XX and XX).

Subsequently, the Company specified that "at the time of the attack, heterogeneous and differentiated rules were in operation for each firewall in relation to the storage capacity of the devices and the traffic recording rules. With reference to the storage of logs, relating to the activity of system administrators, XX in line with the relevant Provisions requires all its suppliers to "mandatory keep a copy of the access logs and defined operations for a period of no less than 6 months", as per the "General Conditions of Information Security relating to third parties" in the version updated to XX. With reference to the XX firewall, the storage of access logs was 6 months. Finally, with reference to the Fortinet firewall logs, the storage was 60 days. It should also be noted that even before the dates of the attack, a negotiation was underway between XX and the Administration regarding the expansion of the storage space of the Fortinet Firewalls, as proposed to the administration […] to XX" (see XX's note to resolve the reservations of the XX inspection, Annex XX).

2. 3. Measures adopted following the violation

2.3.1. Notification of the violation to the Guarantor

With reference to the measures adopted following the violation, the Company, in the context of the notification of the violation, carried out pursuant to art. 33 of the Regulation, represented that:

“an IT company expert in reacting to cyber attacks was promptly involved and is currently and urgently carrying out a preliminary analysis of the event to assess the impact and the consequent remedial and recovery actions for the containment and reduction of the effects of the violation” (note of XX);

“among the immediate actions to mitigate the damage, in addition to the total blocking of network services and access to internal and external services, internal procedures have been produced to prohibit the use of company systems and to reactivate essential services with alternative methodologies and the supply of reliable tools, a team of over 60 IT technicians has been organized to clean up workstations, a Crisis Unit has been set up with all the necessary skills to best manage both the damage mitigation interventions and the consequent organizational interventions related to the prompt resumption of essential health services (Emergency Room, Laboratory, Pathological Anatomy, Radiology, etc.). Furthermore, companies with expertise in the reference sector have been involved, including Scudomed S.r.l., for the profiles relating to privacy and data protection consultancy, and Yarix S.r.l., for the IT and cyber security profiles, also for a technical second opinion activity regarding the data breach. A “LAWYERS” working group has been set up, composed of the Administrative Director of AULSS 6 Euganea, the Director of the UOC General Affairs of AULSS 6 Euganea, the DPO of AULSS 6 Euganea, as well as external professionals with legal backgrounds who are experts in criminal law, administrative law, privacy compliance and cybersecurity for the multidisciplinary management of the incident and notifications to different bodies/organizations; the working group meets daily and reports to the General Management with the same timing.The Postal Police - Veneto Department was promptly informed, as early as XX (note of XX);

a note of XX recalled what was reported in the second opinion report of XX prepared by Yarix s.r.l. which highlighted that the "installation of an XDR (eXtended Detection and Response) tool along the entire perimeter had been carried out, both to ensure the identification of any latent threats present within the network and to provide the necessary support for the removal of potential residual components resulting from the compromise"; the "activation of a continuous monitoring service of the internal perimeter of AULSS 6 through the Yarix Security Operation Center operating 24/7 to ensure the management, analysis and management of any security event that occurs within the perimeter under control"; to the “activation of a continuous monitoring service of the external perimeter (Cyber-space) relating to the digital profile of AULSS 6 through the Yarix Cyber Threat Intelligence team, in order to identify through OSINT (Open Source INTelligence) and CLOSINT (Closed Source INTelligence) activities on clear, deep and dark web events that can be correlated to the attack suffered by AULSS 6, as well as potential leaks of data and/or other exfiltrated information”;

these measures “were undertaken and constantly monitored by the corporate ITC group and by the governance together with the consultants and companies involved in the emergency management, determining, from time to time, a series of measures in a by design perspective, in execution of disaster recovery activities, in order to ensure the full implementation of the principle of business continuity. The latter has proven particularly effective in the actions to restart the main management systems capable of ensuring the continuity of patient care, the procurement of life-saving drugs, the efficiency of analysis laboratories and Emergency Rooms as the main operational structures of the company" (see notification of XX, section XX points XX and XX);

"with resolution no. XX of XX, the new Regulation for the use of IT systems was adopted, distributed according to the methods established for the dissemination of company documents. Procedures and operating instructions were also reviewed and distributed to implement company policies. The annual company training plan was also updated by including in-depth sessions on the new policy for all company personnel" (see notification of XX, section XX, point XX);

English: With regard to technical and organizational measures to prevent similar future violations, the following measures were indicated: “a) updating the company privacy system […] given the complexity of the company, for which there are still ongoing activities to review the organizational processes resulting from the merger of the three former Padua health companies (ULSS15 - ULSS16 - ULSS17) and the managed treatments, as well as within the continuous improvement process, foreseen and also represented in the 2022-2024 performance plan and in the directive document for the year 2022, the need was identified to redefine the company privacy system in the Personal Data Protection Company Management System (SGA PDP) and to set up a multidisciplinary support team in order to give greater impetus to the path undertaken and ensure operational support capable of supporting the data protection system by demonstrating the capabilities and aptitude of the entire organization to enhance and protect the information assets, ensuring the monitoring and continuous improvement of processes and procedures. The team has been assigned analysis and support functions to the company personal data protection office (formerly privacy office), in coordination with the DPO. The aim is to ensure multidisciplinary support so as not to lose sight of the protection objective and to maintain the efficiency of the set of security measures adopted over time, improving it if and when necessary. b) Adherence to PDR 43:2018: The Company Management has activated the process to achieve certification of adherence to the "Guidelines for the management of personal data in the ICT sector according to EU Regulation 2016/679" with the aim of improving actions for the correct processing of personal data of the Company Management System for Personal Data Protection, laying the foundations for certification mechanisms as recommended by art. 42 of European Regulation no. 679/2016. c) ISO 9001:2015 and 27001:2017 certifications: The Company Management has started the process for adhering to the quality management model for information security in order to redefine processes and tools connected to them from the perspective of information security and obtain ISO 9001:2015 and 27001:2017 certification following alignment of the information systems activity with the indications provided by the legislation on personal data protection. This is in order to allow the free and safe circulation of personal data within the SGA PDP. d) Training: diversified training courses have been intensified for all company personnel as well as for the multidisciplinary team” (see notification of XX section XX, point XX).

2.3.2. Inspection Activities

During the inspection activities, the Company stated that “following the breach, XX activated the multi-factor computer authentication procedure for access to the network and systems managed by the Company via VPN, with a second factor of XX” and that “the instructions for activating the VPN with MFA were provided to employees via email” (see XX minutes, page XX). Furthermore, the Company stated that “following YARIX’s suggestions, contained in the second opinion report, a structured SIEM was activated that collects the various logs being consolidated, first with temporary assignments and subsequently in the new contract in force with XX”, that “the XX company’s XDR system was adopted” and “starting from the end of XX, a series of security measures were activated, including XX’s XDR tool, monitored 24/7 by YARIX’s SOC, to protect end points, to respond to and combat threats; a SIEM system for collecting logs to monitor all security events; an analysis service for the collection of intelligence information from open and closed sources (OSINT and CLOSINT) in order to identify any data exfiltration, compromise of accounts and users as well as other potential threats relating to the perimeter agreed with the ULSS (XX)” (see minutes of XX, pages XX and XX).

With regard to organizational measures, the Company highlighted that “the process of reviewing the procedures already underway has undergone an acceleration that has led to the definition of a Personal Data Protection Company Management System (SGA PDP) […]. Following the incident, the network of contacts who dealt, among other things, with procedures and clinical risk, acquired the additional expertise of data protection with appropriate training to establish an observatory in the field both to intercept anomalies but also to better regulate new projects and activities that may have an impact on data protection. The network currently consists of XX people. A multidisciplinary team (skills in data protection, ICT security, medical, human resources, etc.) was also set up, trained with an 80-hour course - with specific modules on topics including consent, scientific research, medical apps, medical devices, artificial intelligence - in addition to the annual training plan for all employees that already included data protection and ICT security topics [...]. It also adopted the XX tool which, in addition to making available all the procedures and documentation necessary to inform employees, collects reports from the network of referents and which will soon be extended to all staff, for a fast and centralized collection of data from individual UOs, conveyed at company level to the RPD and strategic management. This tool is therefore used to raise staff awareness and distribute documents of all updated procedures that employees must read. The reports collected through this tool are analyzed by the Quality office which, if necessary, involves the multidisciplinary team and the RPD”, which has “set up a privacy office, separate from the RPD, which deals, among other things, with compliance activities, first drafting of VIP, information, and is in close contact with the multidisciplinary team and the company’s top management” and which “has undertaken a process to obtain ISO 27001 and UNI PdR 43:2018 certification” (see minutes of XX, page XX).

With reference to data and system recovery operations, the Company, during the inspection activities, declared that “since XX the ULSS has set up a crisis unit to manage the incident”; that “within 15 days everything that was a priority had been restored, in particular with an impact on the care and healthcare services of the patients” and that “at the end of December the ULSS had cleaned up all the workstations. The various management systems were made operational only after functional testing, documented by an appropriate report signed by the supplier and also authorised by the information systems management. On this occasion, some security measures for the systems themselves were also adjusted, where deemed necessary. The activities were concluded within a month. The crisis unit set up suspended daily meetings on XX because the situation was now under control” (see minutes of XX, page XX and of XX pages XX and XX).

2.4. Communication of the breach to the interested parties

In relation to the communication of the breach to the interested parties, the Company preliminarily stated that it had made a “social communication via the company’s institutional Facebook channel” on the morning of XX regarding the hacker attack and the blocking of IT services (see notification of XX, section XX, point XX) and, subsequently, stated that “a multidisciplinary task force (IT profile, privacy profile, health profile-clinical risk), specifically appointed and trained to carry out the activity, is carrying out a detailed analysis of the potentially exfiltrated documents, containing personal and non-personal data” and illustrated “the additional tools planned […] to be able to provide any specific communication to the interested parties, also providing tools to support their rights and freedoms through: a general communication, published on the company website, divided into clusters in relation to the different types of documents containing personal data, which could be exfiltrated based on the evidence of the short list; the short-term activation of a clustered multifunction toll-free number to obtain initial summary information regarding the position of each interested party for the exercise of rights regarding the processing of their personal data and any actions and behaviors to be adopted for the purpose of weakening the impact of the incident on the rights and freedoms of the interested parties” (see notification of XX, section XX point XX and XX, point XX) confirming that the planned tools had been implemented (see notification of XX, section XX, point XX).

Lastly, the Company stated that the “first and second level analyses carried out by the multidisciplinary task force also with the aid of the specialized tool and the results regarding the number of data subjects involved in the IT breach as well as the categories of personal data subject to the same breach, the data controller believes that the risk for the rights and freedoms of natural persons is high. On the basis of the third and fourth level analyses also with the aid of the Esplores software (…), the task force was able to precisely delimit the perimeter of the breach in terms of quantity of personal data, types of personal data and types and number of data subjects, detecting lower numbers than expected at the beginning of the data breach […]; however, also given the exposure on the dark web and the personal information impacted, the data controller believes that the risk for the rights and freedoms of natural persons is high and has proceeded with the information obligations pursuant to art. 34 GDPR to inform the data subjects and to provide support to the latter. It has proceeded in two ways”. The owner also communicated that on XX it had forwarded to over 700 employees “communications pursuant to art. 34 of the GDPR […] as follows:

1) employees affected by the publication of identification documents (identity card, driving license, green pass) […]. This was done, considering the potential for identity theft, in order to prevent any illicit activities perpetrated by third parties for the interested parties; in the communication, employees were advised to go to the Judicial Authority to report the incident. Since the number of employees was small, they were also contacted in advance by the members of the task force to anticipate the content of the communication itself. Before activating this process, the Company Management, with the collaboration of the Company DPO and the Company Privacy Representative, organized a meeting with the Workers' Trade Unions to represent the results of the work of the task force regarding the analysis of data from documents published on the dark web, in reference to the positions of some workers involved in the violation for the publication of identification documents, and to represent the measures put in place to mitigate the negative effects of the exfiltration on the interested parties. 2) employees affected by the publication of various documents: on XX, another 700 employees were also reached by communications pursuant to art. 34 to inform them of their involvement in the violation [...] all communications were successful. Following the same nr. 20 employees contacted the numbers available to obtain information regarding access to the documents. It is specified that this company has necessarily had to manage and adopt two distinct methods of communication to the interested parties involved in the publication of personal data […], with regard to the remaining number of interested parties not reachable by ad personam communication […] it was decided to proceed with a generalized communication pursuant to art. 34, letter c) of the GDPR […] by posting specific signs in transit areas and with greater attendance (…). This choice will allow the Company to redirect resources towards a development plan (training and structural) of the Personal Data Protection Company Management System which had been slowed down by the events connected to COVID which have heavily affected all our structures. Furthermore, the same communication was published on the company website (XX) at the following link: XX. The generalized communication will be kept in evidence for 6 (six) months from the date of dissemination” (see notification of XX, section XX point XX and XX points XX and XX).

During the inspection activities, the Company confirmed “the actions taken to mitigate the negative effects on the interested parties with reference to the communication, pursuant to art. 34 of the Regulation, already reported in the notification of XX and subsequent additions, specifying that very few specific requests were received from the interested parties through the contact channels set up by the Company (RPD mailbox and dedicated toll-free number), despite the information being made available through signs posted in all hospitals, clinics and places of passage as well as the intense media campaign developed in the period immediately following the incident” and that “the various press releases […] were also prepared [involving the] judicial authority involved in the investigations” (see minutes of XX, page XX and of XX page XX).

3. Assessments of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code

With regard to the situation described, the Office, on the basis of what was represented by the data controller in the notification of violation and what emerged during the inspection activity, as well as subsequent assessments, notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the initiation of a proceeding for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, inviting the aforementioned data controller to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24/11/1981). In particular, with act no. XX of XX, the Authority considered that the Company had processed the personal data in question in violation of the principle of "integrity and confidentiality", pursuant to art. 5, paragraph 1, letter f), of the Regulation and failing to implement technical and organizational measures to promptly identify a violation, as well as to ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the processing systems and services, in violation of art. 32 of the Regulation.

The Company has submitted its defensive briefs, pursuant to art. 166, paragraph 6, of the Code. In particular, with note of XX, it declared that:

“the Company was established on 1 January 2017 by virtue of the healthcare reform of the Veneto Region which took place with the Regional Law of 25 October 2016 n. 19 (“Regional Law”). As a result of the Regional Law, as subsequently integrated and amended, the former ULSS n. 16 of Padua changed its name to ULSS 6 Euganea, incorporating the abolished ULSS n. 15 Alta Padovana and ULSS n. 17 Este”;

“the Company is currently a large and complex entity, with a catchment area of over 920,000 patients, belonging to 101 municipalities, in a territorial extension of 2,127 km2, with a density of approximately 437 inhabitants/km2, making it the most populated health company and with the highest density in the Veneto Region”;

the Company is organized into 5 social health districts (3 central districts in Padua and 2 districts for upper and lower Padua); by virtue of the aforementioned Regional Law, in the Company, a body of provincial importance, there are 4 spoke hospitals: 2 Hospitals in upper Padua (…), 1 Hospital in the center (…) and 1 Network Hospital in lower Padua (…) as well as a provincial rehabilitation facility”;

“at XX the Company had 7,166 employees including 1,089 doctors and veterinarians, 43 other managers of technical, professional and administrative roles, 3,824 nurses, 1,530 healthcare workers (OSS and OTAA) and 680 administrative staff”;

“the Regional Law also established the Veneto Regional Health Governance Body, called “Azienda Zero”, also outside the perimeter of the Company, to which the Veneto Region assigned the functions relating to the management of technical-specialist activities, including, in art. 2, c. 1, letter g) n. 6 functions relating to “the management of technical-specialist activities for the system and for the bodies of the regional health service such as information technology infrastructures, connectivity, information systems and data flows with a view to homogenization and development of the ICT system”;

“before the reform implemented with the Regional Law, the two companies formerly ULSS15 and formerly ULSS17 each had their own IT system, governed and managed by a Company Complex Operating Unit (UOC) headed, respectively, by an IT Manager; this is because these companies had autonomous legal and organizational personality. The former ULSS16, on the other hand, derived from an organizational model introduced only in the Padua area in 2003, in which the management of the IT structure was governed together with the Padua Hospital Trust by an “Inter-company Structural Department of Information Technology” directed by an IT Manager appointed by mutual agreement by the two companies. This model was subsequently abandoned. At the time of the reform introduced with the Regional Law, the complex and costly procedures for separating the IT systems between the companies in the Padua area were still in place”;

“the Regional Law (…), having assigned to the newly established Azienda Zero many functions supporting the entire healthcare system, including “the acquisition and/or definition of IT infrastructures, connectivity, information systems and data flows with a view to homogenizing and developing the regional ICT system” envisaged that the new companies, even if merged and of considerable size, could have within them, for the management of the IT area, only lower organizational structures, i.e. so-called “Simple” Operating Units (UOS)”;

“since 2017 (…) following the Regional Law, a complex process began which envisaged on the one hand the unification of the information systems of the three former AULSS 15, 16 and 17 (“Unification”) and on the other the continuation of the separation of the information systems previously in place for the former ULSS16 with the Padua Hospital (“Separation”).The Unification and Separation process then slowed down during the pandemic in 2020-2021, as the Company's information systems were engaged in supporting activities intended for the health emergency. The activities carried out by them include: creation of an IT infrastructure for managing gates; support for the logistical reorganizations of departments (semi-intensive and intensive implementation) in line with emergency plans; support for the laboratory analysis process for swabs: IT equipment for collection points, integration of equipment, software adjustments according to regional specifications, redirection of tests to the various laboratories, generation of flows towards Azienda Zero, etc.; transversal support for data extraction and processing; commitment to the creation of vaccine and swab booking systems. The Unification process, aggravated by the pandemic emergency, had a significant impact on the safety reorganization of company networks";

“all technological purchases necessary for the reorganization and strengthening of the infrastructures in safety were and are subject, by virtue of the Regional Law, to the prior authorization of the Regional Commission for Investments in Technology and Construction (CRITE). In this context, the requests for authorization for investments in the IT area for further investments in IT equipment in the year XX (..) and for the two-year period 2021-2022 (…) made by the Company to CRITE, relating to financing for the purchase of infrastructures necessary for the adoption of measures aimed at improving network security, are relevant for the purposes of this defense brief. […] in the request for funding for the two-year period 2021-2022, the Company acknowledged an additional requirement of €5,658,448 for important investments, including “the improvement of risk management also pursuant to AGID measures and the GDPR” and, in particular, for interventions on the “AGID security infrastructure (firewall, IDS probes, log control in accordance with the regulations, vulnerability assessment, penetration test, etc.)””;

“however, CRITE partially responded to these requests only on XX (one year after the first request) […] postponing the coverage of investments of an amount equal to or greater than €200,000.00 to the presentation of the individual projects to the Commission and with the indication to update the Investment Plan, due to the changes that occurred”. With the limited resources available, on XX, the activities of the Corporate Security Program Document (DDG no. XX of XX) were nevertheless started […] which included, among other things, the implementation of MFA VPNs, which were already the subject of the first request for funding for 2020”;

“the Company notified this Guarantor Authority, pursuant to art. 33 of the Regulation, of the violation of personal data on XX, integrating it with subsequent notes on XX and XX, XX and XX, XX and, finally, transmitting the definitive closure on XX. Only on XX, a full 370 days after the closure of the notification, (…) the “Guarantor Authority proceeded” (..) to inspections (lasting three days). (…), the illegitimacy of the duration of the investigation phase that preceded the notification of the Communication must necessarily be noted. As already noted, the Communication was notified on XX, 477 days after the notification of closure of the data breach and 105 days after the end of the inspections conducted by this Guarantor Authority at the Company's premises";

"the sanctioning activity conducted by this Guarantor Authority is also subject to compliance with art. 14, second paragraph, of law no. 689/1981 [...]. It is also useful to recall the jurisprudence of the Council of State" regarding the deadline for the Administration to contest the infringement (see Council of State, sentence 1330/2015)";

"the long period of time that has already passed is more than the "180 days from the notification of the personal data breach" provided for by Regulation 2/2019 of this Guarantor Authority for the type "Proceedings relating to the breach of personal data (articles 33 and 34 of the GDPR)" (see table B, part 1). It is therefore believed that the sanctioning procedure initiated with the Communication is irremediably flawed due to the abnormal time lapse between the sending of the notification of closure of the data breach and the start of the same";

on the merits of the issue "it is permissible to contest the reconstruction made by this Most Illustrious Guarantor Authority as it is based exclusively on the partial information acquired during the inspection activity, during which the person who, at the time of the violation, was the Head of Information Systems of the Company and who, prior to the incident, had dealt with the activities relating to securing the networks was not present, because he had resigned. (...). What was declared in the minutes of the XX on page 3 regarding the VLANs must therefore necessarily be integrated with the declarations, subsequently acquired by the Company of the engineer (...) who, in his capacity as Head of Information Systems, had at the time managed this aspect";

in addition to what was declared during the inspection activities "despite the difficulties connected to the Unification referred to in the first paragraph, at the date of the incident, states the engineer (...), with the confirmation also of his then collaborators (...), that "at the date of the XX, also due to the available funding, the following activities had been completed: - definition of the addressing plan for the entire Company, configuration and segmentation of the new Camposampiero Datacenter; - commissioning of the new AULSS 6 domain. Furthermore, they were in an advanced stage of implementation: the configuration of the various applications on the new domain with simultaneous migration from the old datacenters, updating and insertion into the network in the various defined VLANs";

"although the partitioning plan on all the subnets of the Company's offices is not complete, it should be clarified that at the time of the incident there was in any case a separation via VLAN of all the main data communication flows to and from all the datacenters to the various offices. Moreover, it is possible to state with reasonable certainty that not even the completion of the segmentation and segregation, which was already underway, could have prevented the incident from occurring, for the reasons indicated below and for the type of incident”;

“VLANs certainly represent a method for segmenting a broadcast domain into multiple smaller domains. At the OSI 2 level, each VLAN contains only the traffic of the devices belonging to that VLAN. With VLANs, work groups can be created with devices physically located at any point of a network, which can however communicate as if they were on the same physical segment, as indicated in the diagrams below for clarity. It follows that a user who has administrator credentials for a computer network can access the “management VLANs” that are used to configure and maintain VLANs in complex environments and, therefore, is within his or her power to connect to them, modify them and ultimately bypass them as a security measure to reduce the impact of an attack such as the one carried out by the two attackers in the incident in question”;

“these considerations are also confirmed by XX’s statement, which specifies: “a system administrator, which the attacker had become, on XX, having the ability to make lateral movements between the server and DB systems could access the various VLAN networks, making this security measure less effective in this case””;

“the attacker initially acted with unprivileged user accounts and subsequently with legitimate system administrator accounts, in a relatively short period of time. Due to the nature of the role assumed by the attacker in the last phase, therefore, completing the segregation and segmentation process would not have constituted the additional security measure capable of concretely preventing what happened. Nonetheless, as clarified during the inspection, it is confirmed that the segregation and segmentation process had been largely started as soon as the necessary economic resources were assigned and in any case before the incident and that said process was in any case completed after the incident, in order to minimize the impact of cyber attacks of a different nature than the one that occurred”;

“as for the contested absence of the double authentication factor of VPNs […] with reference to VPNs accessible with non-privileged users (therefore non-administrator), in this case used by the attackers in the period between XX and XX […] it is evident that at the time of the incident the double authentication factor did not even constitute a measure envisaged at the maximum level by AGID in the "Minimum ICT security measures for public administrations. (Directive of the President of the Council of Ministers 1 August 2015)" of April 2017, in force ratione temporis”;

“with reference to VPNs accessible with system administrator users, whose first access occurred only on XX, the aforementioned AGID Security Measures envisage the double authentication factor only for “privileged users and administrative rights”, classifying the relative measure as a “High” level. And, in any case, it is reiterated that the implementation of the double authentication factor was underway to guarantee the maximum levels referred to in the aforementioned security measures of AGID, given that the Company had made a request to CRITE two years before the date of the accident and had only received partial authorization in XX.Following the authorization, the Company promptly took action to implement this measure, included in the XX security program document, which however required implementation times such that they were not in force at the time of the incident. It should be noted that in any case on the date of the incident, although the MFA (Measure 5.6.1) had not yet been implemented, the alternative measure of high password strength for administrative users (Measure 5.7.1) was active, to be used "when multi-factor authentication is not supported" expressly indicated as equivalent by the aforementioned AGID Security Measures (see Annex XX of the defense documents of the XX). Furthermore, it is worth noting that after the incident all active VPNs were equipped with MFA";

“what is relevant for the purposes of the timely action of the data controller, who is required to notify the Data Protection Authority of the violation within 72 hours, is the moment from which he had knowledge of the disclosure of or unauthorized or accidental access to the personal data (art. 33 par. 1 of the Regulation). On this point, it is also necessary to recall recital 87 of the Regulation” and the Guidelines on the notification of personal data breaches pursuant to Regulation (EU) 2016/679, adopted on 3 October 2017, Amended version and adopted on 6 February 2018. WP250;

“the “suspicion of a violation” exists only in the presence of elements suitable to presume (i.e. without reasonable certainty), the “unauthorized or accidental disclosure or access to personal data” highlighting that in the aforementioned 2017 Guidelines it was “clarified that in order to promptly identify a violation it is appropriate not to underestimate, but rather to analyze, the suspicions of the same, although the measures to remedy it require that the data controller is actually “aware” of the violation. Consequently, the data controller must “have internal procedures to be able to detect a violation and remedy it. For example, to detect certain irregularities in data processing, the data controller or processor can use certain technical measures such as data flow and log analyzers, from which it is possible to define events and alerts by correlating any log data”;

“in this context, the data controller must adopt technical organizational measures (pursuant to art. 32 of the Regulation) suitable for promptly identifying, treating and reporting a violation. Well, as it results from the reading of the Second Opinion carried out by Yarix (“Second Opinion”), the attackers in the period XX - XX had access to the Company’s systems by exploiting VPNs with unprivileged user accounts […]; the first access to the VPN with system administrator privileges was carried out on XX at 9.25 pm and therefore just a few hours before the actual knowledge of the violation materialized. The Company, at the time of knowledge of the incident (XX), had technical and organizational measures suitable for promptly identifying, treating and reporting a security violation of the network perimeter through unauthorized or forced VPN accesses. These measures, however, could not allow the accesses carried out before the violation occurred to be assessed as symptomatic of a violation, as they were carried out using valid access credentials (…); only after the violation occurred on XX was it possible to reconstruct that the accesses in question were in fact carried out by individuals who had abusively come into possession of those valid credentials”;

“the measures adopted by the Company for the timely identification of the violation consisted, in addition to what was previously declared in the documents, also in the activities entrusted to the company XX, by virtue of the Consip Agreement “Service for the Management and Maintenance of IP Systems and Workstations” (SGM). In particular, XX […] had to independently carry out a series of activities aimed at managing the security devices […]; the activities covered by the Consip Agreement and entrusted to XX are in line with the indications of the Working Group regarding the timely identification of a violation, including “For example, to detect certain irregularities in data processing, the data controller or processor may use certain technical measures such as data flow and log analyzers, from which it is possible to define events and alerts by correlating any log data”. In this regard, it is worth noting that XX declared to the Company that it had carried out the aforementioned contractually required activities and in particular: "a) 24-hour monitoring service, intervention and proactive analysis also for IT security issues carried out through the systems used to manage and maintain the Administration's equipment, in particular for firewall, router/switch and server equipment; b) periodic analysis of logs to search for anomalous events (access attempts, anomalous traffic, viral attacks, violation of policies, etc. and any potentially harmful event). Having said this, it is reiterated that the monitoring systems in use were configured for alerting in the event of operating anomalies of the equipment covered by the agreement or interruption of their functionality and/or degradation of performance (point a.) while the policies used to search for anomalous events (point b.) provided for warnings for XX;

“in this case, the attacker initially acted with unprivileged user accounts and subsequently with legitimate system administrator accounts, in a relatively short period of time, with limited access attempts (no brute force), from countries not present in the black list and without causing operating anomalies to the devices under monitoring (no denial of service was detected in the period prior to XX). This situation would probably not have been detected even by advanced SOCs that had not been equipped with machine learning systems and Artificial Intelligence algorithms capable of detecting in real time significant deviations from the “normal” behavior of each user, device and/or subnet of the organization (…); only after further investigation, on XX, the Yarix Company, to which the Company commissioned the Second Opinion, was able to consider the previous accesses starting from XX as activities connected to the incident”;

“taking into account the nature of the incident and the activities carried out to prevent and identify it, as well as the historical-technological period different from the current one (the incident occurred at the end of the year XX), the Company cannot be blamed for the lack of suitable measures for the timely identification of the incident”;

“among the parameters that the data controllers are required to take into consideration in identifying the suitable security measures for the specific processing, the “state of the art” and the “implementation costs” are relevant, pursuant to art. 32 of the Regulation. With respect to the “state of the art”, it must be considered that the standard defined by the AGID Security Measures of 2017 constituted for a public administration such as the Company an undoubted reference parameter useful for evaluating, with the knowledge of the time, the adequacy of the security measures in place at the time of the violation. Moreover, it is not clear in the notice of dispute what additional security measures the Company should have adopted in order to prevent the incident that occurred. Even the possible availability of additional "firewall logs", as noted in the Communication, would not have allowed the violation to be detected earlier, or at most to try to trace the identity of the attackers, an activity that is in any case irrelevant for this Most Illustrious Guarantor Authority";

"on the contrary, as has been demonstrated, even in the presence of a control room that monitored the data flows, it would not have been possible to identify the violation earlier. In fact, the attack occurred using the credentials of a user without privileges and, moreover, by accessing not from countries in the so-called black list. Probably, such a structured attack would be identified earlier only by a modern control room capable of processing the data also using artificial intelligence application tools. But, it is reiterated, for the purposes of this proceeding, the “state of the art” of 2021 must be taken into consideration. To what has been said, it must necessarily be added that the assessments on the “implementation costs” are outside the sphere of competence of the Company and that, by virtue of the Regional Law, they are the exclusive competence of CRITE. In fact, the Company had repeatedly requested the implementation of additional security measures, but CRITE had not endorsed these requests […] by not allocating more funds (…)”;

“on the violation of the principle of integrity and confidentiality, the reconstruction carried out is contested in its entirety, since the Company at the time of the incident was in line with the AGID Security Measures and it has not been proven that additional, but not better specified, security measures would have prevented the violation that occurred or would have allowed the Company to notice it beforehand. Furthermore, the Company was not materially able to implement technical measures other than those previously approved by CRITE, under penalty of incurring treasury violations (and even criminal ones)”;

“the number of interested parties involved is equal to 9,520 (of which 8,535 affected by a violation of health data and 985 affected by a violation of personal, contact, access and identification data), out of a total of more than 920,000 patients belonging to the Company.However, […]  from the re-examination of the documents subject to exfiltration, it emerged that the actual number of interested parties, to whom the health data refers, is substantially lower, due to bias attributable to the artificial intelligence software used. It is confirmed that the personal data exfiltrated and published under examination refer to documents present on PCs and not on company servers, in contempt of the company policies already in existence on file”;

“the Company was the victim of a hacker attack on its information systems carried out by two distinct threat actors – XX and XX – who acted almost simultaneously. The Company was equipped with adequate technical and organizational security measures for the historical-technological period in which the violation occurred (XX), circumstances that exclude the existence of any form of fault on the part of the Company, even in the mildest and most possible form. At most, it is believed that the Company can be attributed to an error in good faith, having operated in compliance with the sector regulations in force at the time and having only subsequently acquired awareness that it was necessary to integrate said measures, as had already been planned";

"at the time of the incident" all the security measures identified by AGID were "operational within the Company and (...) the same (...)" had "proactively taken action to make further improvements, although not required by the sector regulations in force at the time of the facts" (...), the error, if there was one, was blameless, as it was not susceptible to being prevented by the Company, despite the (extra)ordinary diligence shown in seeking to implement increasingly advanced security measures", highlighting the "extraordinary effort made by the Company to mitigate the effects of the violation for the interested parties. After the incident, the Company immediately proceeded to complete the Segmentation and Segregation process, as well as to provide two-factor authentication for all users. Furthermore, it implemented all the technical and organizational measures specified in the notification supplements and its attachments and also recorded during the inspection activities and also indicated in the Communication”;

“the Company, with the support of the Italian Academy of the Internet Code (IAIC), provided between XX and XX employees with a training and refresher course, tailored to the specific activities of the various employee categories (for IT employees equal to 80 hours), in which top-level and highly professional teachers were involved. A further training course is being planned with the same body”;

“the Company has actively cooperated with the Guarantor Authority since the preliminary notification carried out promptly and in the subsequent supplements, as well as during the inspection activity” and “has also proceeded to collaborate with the judicial authorities and the postal police and carried out the communications pursuant to art. 34 of the Regulation (…)”.

During the requested hearing, which was held on XX, the Company, in addition to substantially reiterating what had already been highlighted in the briefs, represented that:

- “with regard to the segmentation of the networks, also in light of the statements made by the engineers, attached to the briefs, it is highlighted that the segmentation process, at the time of the accident, was in an advanced state of implementation; the delay, in this regard, was attributable to the unification and spin-off processes of the Companies belonging to the current owner; in any case, the segmentation of the networks would not have prevented the lateral movements of administrative and non-administrative users, for the reasons also highlighted by the supplier XX in doc. 5, attached to the briefs; in particular, the aforementioned movements could have been identified only with very sophisticated SOCs, equipped with machine learning and AI systems, not widespread in XX, at the time of the accident”;

- “with reference to MFA VPNs, Agid’s “Minimum measures envisaged for public administrations” had been adopted in point 5.7.1. at the advanced implementation level of password strength for administrative users, to be used when multi-factor authentication is not supported as an equivalent measure; nevertheless, the implementation of the double authentication factor had been planned and started, because, since XX, the authorization for the purchase and the related financing had been requested from CRITE, approved by the latter only partially in XX; in XX, therefore, the Company had presented the security program document that provided for the MFA, which started the authorized investments; therefore, in XX all the preparatory activity for the full implementation of this measure had been started, completed shortly after the incident for all types of users”;

- “despite the lack of a control room, which was not foreseen by AGID as a security measure, the type of incident could not have been detected, if not with sophisticated AI systems”;

- “the breach did not affect the integrity of the data, but only the availability and confidentiality”;

- “attention is placed on the high level of collaboration with the Authority demonstrated by the Company, in every phase of the procedure, and on the proactivity demonstrated by the same, which also provided training to staff on security and privacy (it should be noted, in this regard, that the course with the support of IAIC took place not in XX, but in XX) and reorganized the roles to ensure more widespread and capillary control within the enormous structure”;

- “the measures implemented immediately after the incident (cyber and technical and organizational) have led, to date, to a substantial reduction of the original gross risk of 12.4 to a residual risk of 5.58; the risk assessment was carried out on the basis of the ENISA (Handbook on Security of Personal Data Processing), ISO 27005 and ISO 29134 documents; this, in light of the significant economic and organizational commitment made by the Company”;

- “despite the important press campaign, at the moment the Company has only received 29 requests for clarification regarding the possible involvement in the information attack and no requests for compensation”.

4. Outcome of the investigation

Having taken note of what was represented by the Company during the proceedings, it is noted that:

“health data” are considered to be “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his or her state of health” (Article 4, paragraph 1, no. 15, of the Regulation);

Recital no. 35 of the Regulation specifies that health data “include information on the natural person collected during his or her registration for the purpose of receiving health care services”; “a number, symbol or specific element attributed to a natural person to uniquely identify that natural person for health purposes”;

personal data must be “processed in a manner that ensures appropriate security […] including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (principle of “integrity and confidentiality”, art. 5, par. 1, letter f), of the Regulation);

art. 32 of the Regulation establishes that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk […]” (par. 1) and that “when assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (par. 2);

the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023 - which update the previous “Guidelines on the notification of personal data breaches under Regulation (EU) 2016/679” (lastly adopted on 6 February 2018 by the Article 29 Working Party and adopted by the European Data Protection Board on 25 May 2018, WP250 rev. 01) exclusively to clarify the notification requirements for controllers not established in the EU - specify that “the ability to promptly identify, address and report a breach must be considered an essential aspect” of the technical and organizational measures that the controller and processor must implement, pursuant to art. 32 of the Regulation, to ensure an adequate level of security of personal data;

recital no. 87, specifies that "it is appropriate to verify whether all appropriate technological and organizational protection measures have been implemented to immediately establish whether there has been a breach of personal data and to promptly inform the supervisory authority and the data subject".

5. Assessments of the Guarantor and conclusions.

In light of the above, it is noted that the processing carried out in the context in question requires the adoption of the highest security standards in order not to compromise the confidentiality, integrity and availability of the personal data of a very significant number of data subjects. This, also taking into account the purposes of the processing and the nature of the personal data processed, including those belonging to special categories. On this basis, the security obligations imposed by the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, letters a) to d), all those necessary to mitigate the risks that the processing presents.

First of all, in representing that the terms indicated in table 2, attached to “Regulation no. 2/2019, concerning the identification of the terms and organizational units responsible for administrative procedures at the Guarantor”, approved with resolution no. 99 of 4 April 2019, published in the Official Journal no. 107 of 9 May 2019 and in www.gpdp.it, web doc. no. 9107640, concern the aspects relating to the obligations referred to in articles 33 and 34 of the Regulation, it is highlighted in any case that, in the event that the conduct of inspection activities is necessary for the handling of the matter, the running of the terms is suspended until the conclusion of the same (art. 6, paragraph 2, of the aforementioned regulation). It should also be noted, with specific reference to the contested lateness of the initiation of the proceedings by the Authority, contrary to what was asserted by the Company, the Office notified the same on XX, within the terms of the law (120 days from the ascertainment of the violation), given that the acquisition of all the information relevant for the purposes of a complete assessment of the conformity of the treatments in question with particular reference to the security profiles, was completed only following the outcome of the inspection activity, concluded on 8 XX and with the acquisition of the last elements, provided by the Company, with a note of XX to resolve the reservations of the inspection.

In light of the assessments mentioned above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor”, the elements provided by the data controller in the defense statement mentioned above and during the hearing, although certainly worthy of consideration, do not allow to completely overcome the findings notified by the Office with the aforementioned act of initiation of the proceeding, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply.

From the examination of the information and elements acquired as well as the documentation provided by the Company, it emerged that the processing was carried out in violation of art. 5, par. 1, letter f), and 32 of the Regulation, in relation to the following profiles:

5.1. Failure to adopt adequate measures to promptly detect the violation of personal data

During the investigation, it emerged that “XX 22:02:12 First access from XX made by IP 193.178.169.22 (associated with attackers belonging to XX) using the XX user” and that the malicious individuals carried out a series of operations preparatory to the cyber attack. The analyses carried out by the company YARIX did not allow “to trace the methods used by the attackers to compromise the privileged accounts due to the deletion of the logs” and “with reference to the firewall logs (traffic and/or VPN), the limited local retention and the absence of useful extractions (regarding some of them) to be performed close to the event, so as to avoid the rotation of the logs themselves, did not allow the identification of further evidence (VPN accesses or traffic to anomalous IPs)” (see YARIX report). The Company also stated that "there was a system monitoring system but not a control room".

These elements did not allow the data controller to promptly identify the personal data breach that occurred.

In this regard, it is specified that the arguments formulated by the Company in the briefs regarding the identification of the moment in which the data controller can be considered aware of the breach and, therefore, from which he is required to notify the Supervisory Authority, pursuant to art. 33 of the Regulation are not relevant in relation to what is contested in the aforementioned notification act of XX; in fact, the aforementioned aspect was not the subject of observations by the Authority which did not identify, with respect to the Company, an omission or delay in the aforementioned notification of breach, pursuant to art. 33 of the Regulation. What did emerge instead was the inadequacy of the measures adopted to promptly detect the violation of personal data based on anomalous behavior, detectable from VPN access to the company network (such as, for example, the time and frequency of access, usually at night, their origin from IP addresses of foreign countries, which should, in any case, have been subject to verification) and from operations carried out with domain accounts with or without administrative privileges (such as, for example, the deactivation of antivirus software on some systems).

The failure to adopt adequate measures to promptly detect violations of personal data does not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, taking into account the provisions of Guidelines no. 9/2022 (and the previous Guidelines on the notification of personal data breaches pursuant to Regulation (EU) 2016/679, adopted on 3 October 2017, Amended Version and adopted on 6 February 2018. WP250), requires that the data controller and the data processor must implement measures to “identify […] a breach promptly”.

5.2.2. Failure to adopt adequate measures to ensure network security

During the investigation, it emerged that the Company had not adopted adequate measures to segment and segregate the networks on which the workstations of its employees were located, as well as the systems (servers) used for processing. In fact, as also highlighted by the Company during the inspection activities, "the servers of the ASL ex 16 and ex 17 were certified on a dedicated VLAN different from the one where the workstations were certified and a new environment was being prepared starting from the 3 Data Centers of the 3 ASL". In relation to this aspect, the Company, following the incident, deemed it necessary to implement "an environment with multiple isolated VLANs and firewall rules".

In this regard, in the context of the analysis activities of the company YARIX, in relation to the violation of personal data in question, it was noted that "this type of threat is countered by implementing the so-called defense-in-depth, or the activation of various security measures on various layers of the infrastructure that separate the attacker from administrative access to the entire network. Based on Yarix's experience in technological and organizational IT security, an activity plan may be analyzed to be implemented on the basis of agreed priorities, taking into account the peculiarities of the healthcare sector in which many IT systems are certified by the manufacturer and cannot be modified without losing the guarantee of correct functioning" (see attachment section, XX to the notification of XX).

In this regard, it is highlighted that the circumstance that, at the time of the incident, the Company had started some interventions to strengthen the security of the networks, not yet completed due to the unification and spin-off processes of the Companies belonging to the current owner, although worthy of consideration in the assessments regarding the existence or otherwise of the violation of the principle of data protection by design and data protection by default, pursuant to art. 25 of the Regulation, cannot be considered for the purpose of deeming the violation of art. 32 of the Regulation non-existent. The creation of VLANs - being a preparatory measure for an effective segregation and segmentation of the networks on which the workstations are located compared to those where the server systems are located - must be accompanied by additional measures such as, for example, adequate filtering rules on firewall systems.

Moreover, at the time the personal data breach occurred, remote access, via VPN, to the Company's network was carried out through a computer authentication procedure based only on the use of username and password. In relation to this aspect, the Company specified that "on XX a "Programmatic Document on Security" had been approved to strengthen the security measures and adapt them to the minimum AgID measures [...] this document included, among other things, the measure of two-factor authentication for VPN access" (see notification of XX, section XX, point XX and minutes of XX, page XX).

On this point, it should be noted that the fact that the double authentication factor constituted - as claimed by the Company in its defense briefs - a measure indicated by the Agid guidelines, containing: "Minimum ICT security measures for public administrations" (Directive of the President of the Council of Ministers 1 August 2015), only for "privileged users and administrative rights", does not exempt, in general, the data controller from the obligation to carry out an assessment, in concrete terms, on the appropriateness of the measures adopted to guarantee the security of the processing, taking into account the context in which one operates. In particular, the adoption of the measures indicated in the aforementioned guidelines - indicating, moreover, the "minimum security measures for the Italian public administration, keeping in mind the enormous differences in size, mandate, types of information managed, exposure to risk, and anything else that characterizes the over twenty thousand public administrations" - does not guarantee, in itself, compliance with the obligations regarding the security of the processing.The aforementioned guidelines, in fact, have the purpose of "indicating to public administrations the minimum ICT security measures that must be adopted in order to counter the most common and frequent threats to which their information systems are subject", starting "from the set of controls known as SANS 20 [...] in version 6.0 of October 2015", and "ensuring the minimum level of protection in most situations [...] keeping in mind the enormous differences in size, mandate, types of information managed, exposure to risk, and anything else that characterizes the over twenty thousand public administrations", recommending that "each administration [...] identify [within itself] any subsets, technical and/or organizational, characterized by homogeneity of security requirements and objectives, within which [...] to apply in a homogeneous manner the measures suitable for achieving the objectives themselves". Specifically, the Guidelines, having been issued on the basis of the state of the art, technical knowledge and cyber threats present in 2015, could not take into account the worsening of cyber risk in recent years also due to the spread and adoption, during the COVID-19 pandemic, of technological methods and tools to allow the performance of activities (work and otherwise) remotely. This change of scenario, also given the significant increase in attacks by cybercriminals, would have required, at the end of the twentieth century, a renewed assessment that weighed the new and much more serious risks associated with the processing for the rights and freedoms of the interested parties in relation to the adequacy of the measures adopted. The aforementioned assessment, not being able to be crystallized and, therefore, concluded at the time the processing was designed, should have been continuously carried out over time, also in light of technological development; this, also in order to develop an awareness regarding the need to mitigate the risks arising from violations of personal data, also considering that the Company used two VPNs, from different suppliers, which both constituted the access point for malicious actors.

The alleged compliance with the measures indicated in the aforementioned Agid Guidelines, therefore, does not exhaust the obligation of the data controller to adopt adequate measures based on his own risk assessment. In fact, the Regulation, in compliance with the principle of accountability, delegates to the data controller the task of identifying and adopting technical and organizational measures suitable for guaranteeing a level of security adequate to the risks presented by the processing, which, in this case, were high due to the nature of the data processed, the large scale of the data subjects, including vulnerable ones, involved, as well as, in the event of a violation, the possible negative consequences for the data subjects with particular reference to the compromise of the confidentiality of the health data relating to them.

The failure to implement, at the time of the violation, adequate measures to guarantee the security of the networks does not fully comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, requires that the data controller and the data processor must implement measures to "ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the processing systems and services" (letter b)).

6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (arts. 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code). 

The violation of art. 5, par. 1, letter f) and 32 of the Regulation, caused by the conduct carried out by the Company, is subject to the application of the administrative pecuniary sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

It should be noted that the Guarantor, pursuant to Articles 58, par. 2, letter i) and 83 of the Regulation, as well as Article 166 of the Code, has the power to “impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case” and, in this context, “the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the accessory administrative sanction to be published, in full or in extract, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code” (Article 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

In light of the above and, in particular, of the category of personal data affected by the violation, the number of data subjects and the unintentional nature of the violation, as the episode appears to have been caused by malicious conduct by third parties, of which the postal police was formally involved, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

Having said this, having assessed certain elements as a whole and, in particular, that:

- the Guarantor became aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation and from some requests received by the Guarantor on the incident (art. 83, par. 2, letter h), of the Regulation);

- the Company has addressed the issue by introducing a diverse set of measures, some of which have already been planned, aimed not only at mitigating the damage suffered by the interested parties but also at reducing the repeatability of the event that occurred (Article 83, paragraph 2, letters c) and f) of the Regulation);

- the Company has already been the recipient of a sanctioning measure in relation to relevant violations (provision XX, no. XXX, web doc. no. 9899929) (Article 83, paragraph 2, letter e), of the Regulation);

- the owner has cooperated with the Authority well beyond the obligation provided for by Article 31 of the Regulation at every stage of the investigation, including the inspection, in order to remedy the violation and mitigate its possible negative effects (Article 83, paragraph 2, letter f), of the Regulation);

it is believed that the amount of the pecuniary sanction provided for by Article should be determined. 83, par. 5 of the Regulation, in the amount of € 22,000.00 (twenty-two thousand) for the violation of Articles 5 and 32 of the same Regulation, as an administrative pecuniary sanction deemed, pursuant to Article 83, par. 1, of the Regulation, effective, proportionate and dissuasive.

It is also believed that the accessory sanction of publication of this provision on the website of the Guarantor should be applied, provided for by Article 166, paragraph 7 of the Code and Article 16 of the Regulation of the Guarantor no. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in Article 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

NOW, THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by the Azienda ULSS n. 6 Euganea, for the violation of the basic principles of processing pursuant to art. 5, par. 1, letter f) and of the obligations pursuant to art. 32 of the Regulation, within the terms set out in the reasons;

ORDERS

the Azienda ULSS n. 6 Euganea, with registered office in Padua, Via Enrico degli Scrovegni, n. 14 – 35131 - C.F./Partita IVA 00349050286, to pay the sum of €22,000.00 (twenty-two thousand/00) as an administrative pecuniary sanction, pursuant to art. 58, par. 2, letter i) and 83 of the Regulation, for the violation indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed;

ORDERS

the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of Euro 22,000.00 (twenty-two thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive actions pursuant to art. 27 of Law no. 689/1981;

ORDERS

the publication of this provision in full on the website of the Guarantor, pursuant to art. 166, paragraph 7, of the Code, and believes that the conditions for annotation in the internal register of the Authority pursuant to art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, exist.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 July 2024

THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10058595&oldid=43247"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki