Banner1.jpg

Garante per la protezione dei dati personali (Italy) - 10086523

From GDPRhub
Garante per la protezione dei dati personali - 10086523
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 4(15) GDPR
Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 17.10.2024
Fine: 25,000 EUR
Parties: Azienda Ospedaliero-Universitaria SS. Antonio e Biagio e Cesare Arrigo
National Case Number/Name: 10086523
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: ligialagev

The DPA fined a university hospital €25,000 after a ransomware attack exposed personal data, including health data, of patients, employees and consultants. The hospital had failed to implement appropriate security measures.

English Summary

Facts

A university hospital, the controller, experienced a ransomware attack by the "Ragnar Locker" group. The attackers exploited a vulnerability in the controller's firewall to obtain domain credentials belonging to a supplier.

Using these compromised credentials and a VPN connection, the attackers performed lateral movements (i.e. they moved sideways from device to app and so forth to explore infected networks to find vulnerabilities, escalate access privileges, and reach their ultimate target) within the network and eventually gained access to the controller's shared file server, which, although intended only for administrative documents, contained various files including health data.

The attackers successfully exfiltrated data to servers in the Netherlands and established a backdoor Secure Shell (SSH) connection. They disabled the antivirus system and deployed executable code that spread ransom notes across workstations, though they did not encrypt the data. The controller promptly notified the DPA about the breach.

Holding

First, the DPA held that the controller violated Article 5(1)(f) GDPR (integrity and confidentiality principle) and Article 32 GDPR by failing to implement adequate measures to detect data breaches promptly. The controller lacked a proper log management system that could have enabled early detection of the suspicious activities that preceded the attack.

Second, the DPA found that the controller's network security measures were insufficient. The authority noted several critical vulnerabilities: the network had no segmentation, VPN access lacked multi-factor authentication, maintenance accounts used shared administrator credentials, and approximately 130 users possessed maximum administration rights. Additionally, the controller continued to run obsolete communication protocols.

The DPA considered several mitigating factors under Article 83(2) GDPR: the controller's prompt breach notification, full cooperation during the investigation, implementation of significant security improvements following the attack, and the challenging circumstances of operating during the pandemic period.

However, given that health data under Article 4(15) GDPR was compromised, the authority classified the violation's severity as high.

Based on these findings, the DPA imposed an administrative fine of €25,000.

Comment

Share your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[web doc. no. 10086523]

Provision of 17 October 2024

Register of provisions
no. 621 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA


IN today's meeting, attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code”, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

HAVING SEEN Legislative Decree no. 101 of 10 August 2018, containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Data Protection Supervisor, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Data Protection Supervisor Regulation no. 1/2019”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Data Protection Supervisor Regulation no. 1/2000 on the organization and functioning of the office of the Data Protection Supervisor, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;                    
 

WHEREAS



1.    The breach of personal data

On XX, the SS. Antonio e Biagio e Cesare Arrigo University Hospital of Alessandria, hereinafter the “Company”, sent the Authority, pursuant to art. 33 of the Regulation, a notification of breach of personal data - integrated with notes of XX and XX - regarding a cyber attack on the Company's information systems caused by a “Ragnar Locker” ransomware malware.

Taking into account the large number of data subjects involved and the nature of the personal data subject to the breach, it was necessary to investigate the circumstances in which the aforementioned breach of personal data occurred, as well as the security measures adopted, through an inspection of the Company in January 2024.

2.    The fact

The breach of personal data was described both in the notification made to the Authority, in several phases, pursuant to art. 33 of the Regulation, and during the aforementioned inspection activity. In particular, the following was found.

2.1.     Notification of the violation to the Guarantor

Preliminarily, with the notification of XX, the Company declared that “the Company’s infrastructure was the subject of a cyber attack by a group that released a ransomware called “Ragnar Locker”” (see notification of XX, section XX, point XX).
Subsequently, the Company updated the information regarding the violation by declaring that “during the night between XX, approximately starting from XX hours and XX hours of the following day, the IT infrastructure of the Hospital Trust (…) saw many of the PCs on its network invaded by a message notifying of a hacker attack by a group called “Ragnar Locker”. The message states that the content exfiltrated from the shared folders would be sold to third parties if there was no contact on the TOR channel for instructions within three days. It should be noted that the attack was limited to the part of the Hospital infrastructure that contains data shared by users, i.e. files shared via file servers. The healthcare applications installed at the central company data center were not attacked. No software or user services were violated. Therefore, the hospital did not suffer any disruptions or limitations in the exercise of its institutional function” (see notification of XX and XX, section X, point X).
With regard to the number of interested parties whose health data were affected by the attack, the Company declared that “the content of the violated folders is being evaluated as information was published on the TOR channel on XX by the "Ragnar Locker" group” and that the interested parties can be traced back to the macro-categories of employees, consultants and patients (see notification of XX, section XX, point XX).

2.2. Inspection Activities

During the inspection activities, the Company, with regard to the methods and timing of the attack, declared that "the workstations (PdL) and the file sharing system (used in fact as the only document manager) to which the PdLs were connected were the object of the attack" and, confirming what was already declared in the notification of personal data breach, "clarified that, from the reconstruction, carried out also thanks to the intervention of the CSIRT and the availability of the firewall logs, the first access attempts date back to XX, a period in which discovery activities and, therefore, lateral movement were detected and then the attack was launched, presumably, at the beginning of XX. From the aforementioned reconstruction, the point of origin, although there is no certain evidence as the Company did not have a log management system, seems to have been the exploitation of a vulnerability in the XX corporate firewall through which malicious individuals recovered some domain credentials and conducted lateral movements that, through an any to any VPN connection, allowed access to a company PC with an open VPN, privilege escalation to administrator, the download of credentials stored in the LSASS service, and finally the massive download of the contents of the file server to storage located in the Netherlands and the installation of an SSH backdoor. (…) All the folders on the file server were accessible from any PdL in the hospital. (…) The malicious individuals deactivated the antivirus and inoculated the executable code that downloaded the ransom note on the PdLs, although they did not proceed with data encryption”, (…) “from the reconstruction carried out, a user was used for the attack to access the VPN, belonging to the supplier’s staff, recovered from the XX firewall configuration file” (see minutes of XX, pages XX and XX and of XX, page X).

With regard to the extent of the violation with reference to the company’s healthcare and administrative-accounting applications, the Company declared that “the company applications had no impact and there were no disruptions or interruptions in the provision of healthcare services to the patients. For internal users, access was limited following the review of the user management policies and the assignment of privileges to administrators which, at the time of the violation, was not differentiated. This, both by custom and by operational simplification, also with reference to the suppliers of the applications and electromedical equipment that carry out their maintenance. The violation therefore only concerned the confidentiality profile" and intended to specify that "the hacker group Ragnar Locker, author of the attack, was dismantled, as per news reports" (see minutes of XX, page XX).

Also during the inspection activities, the Company declared that "it was not possible to estimate the approximate number of interested parties involved in the violation, as each structure had a shared folder on the aforementioned file server used both for the management of the departments but also for the storage of health documents. To understand the nature and content of these documents (also in relation to the type of data processed and interested parties involved), which were not indexed, a specific and non-automated file analysis activity would have been necessary. Initially, in fact, the individual structures had been given a mandate to operate in this direction but, following the huge amount of documentation to be examined and the priorities identified by the Region in the post-COVID period for the recovery of waiting lists, this activity was interrupted. The party specified that it is likely that among those interested there are also minors" (see minutes of XX, pages XX and XX).

3. The measures in place at the time of the violation

3.1. Notification of the violation to the Guarantor

With reference to the measures in place at the time of the violation, the Company declared that "through the training tool, in particular from XX, a cyber awareness course was activated to increase the conscious use of the tools including the sharing of documents and sensitive data XX or file sharing. In XX, the general management sent a note with the obligation to respect the rules of correct storage and sharing of files on file servers after having found seriously anomalous behavior in the use of the file sharing environment" (see notification of XX, section XX, point XX).

3.2. Inspection Activities

During the inspection activities, the Company declared that “it has a Regulation for the use of the ICT infrastructure adopted in 2021 and updated in 2022 in which, among other things, instructions and indications were identified regarding password policies and the correct use of the file server.Furthermore, on 3 April 2023, XX was transmitted the “Cybersecurity Decalogue” published on the company intranet; (furthermore, a) note (…) XX was sent to all staff in September 2022, which recalled part of those indications with particular reference to the correct use of the file server”; that “it has an ISO 9001 certified quality management system, through which any critical issues in the privacy area are also detected thanks to the customer satisfaction and internal audit process. Internal auditors have been specifically trained in this regard and the quality management system audit model is taken into account by the DPO team” and that “the configuration of the workstations (PdL) at the time of the incident included 70% of the XX operating system and the remaining 30% of the XX operating system. Following the violation, through the purchase plan of new PdLs in agreement with CONSIP, all the workstations were progressively replaced. The antivirus software used for the PdLs and servers (XX) did not have different configurations for the different operating systems and allowed for profiling of the protection levels (more or less high). The expected protection level was lower on XX machines and, in particular cases, on some XX machines, in consideration of the potential negative impact on the operation of the machine and its performance also due to the hardware resources present (...) the perimeter security services connected to the management of the same Firewall were guaranteed within the scope of the CONSIP SPC 2 framework agreement; no security measures were adopted to protect and limit access to the memory area used by the lsass.exe process (Local Security Authority Subsystem Service - LSASS) such as hardening activities on the operating system (e.g. correct configuration of the relevant registry key. (…) Hitachi servers were used, acquired through direct assignment with management and maintenance by external resources. A technological update project for the data center and backups was subsequently activated, tested in March 2023 (…)”; that “at the time of the personal data breach, the tender for the implementation of the aforementioned project was being awarded” (see minutes of XX page XX and XX pages XX and XX).

Regarding the IT authentication procedures used in the context of VPN access and to the workstations in place at the time of the breach and the password policies envisaged for the different types of users, the Company, during the inspection activities, declared that:

- “a multi-factor IT authentication procedure was not envisaged (MFA) for remote access in VPN, used before the pandemic exclusively by suppliers and, subsequently, also by employees for the "remotization" of PdLs, after acquiring the list of personnel to be authorized. The "maintenance" users were often generic, not individual, with maximum administrative privileges. Following the incident, the following steps were taken: to activate the MFA, to certify the VPN and to identify nominal users (using specific forms), in compliance with the "minimum privilege" principle";

- "although instructions had been provided to the staff regarding the choice of password, inspired by good industry practices, no system configuration was envisaged that incorporated these instructions. Users who performed administrator functions used different users, depending on whether they were personal domain users or users with administrative privileges. In the latter case, the credentials, which did not have a specific password policy, were generally shared between the different administrators" (see minutes of XX, page XX).

During the inspection activities, in reference to the security measures in place at the time of the personal data breach, relating to network segmentation, the Company declared that "the network was essentially flat, there was no logical or physical segmentation and the network infrastructure was managed by external personnel as part of the services acquired through the aforementioned framework agreement; since December 2022, the Company has acquired an internal resource as a senior systems engineer specifically to manage the network design and review activities. Segmentation is currently planned for new installations and the existing infrastructure and over 6,000 connected devices are being adapted. At an organizational level, starting from July 2023, the clinical engineering unit has also been merged into the new complex organizational unit "ICT and Technological Innovation" for integrated and more efficient management of electromedical applications and devices" (see minutes of XX, page XX).

With regard to the technical and organizational measures adopted to ensure the availability and resilience of processing systems and services, as well as the timely restoration of availability and access to personal data in the event of an incident, the Company stated that “the infrastructure dedicated to backup performed a periodic (typically weekly) screenshot of virtual machines without a retention policy” (see minutes of XX, page XX).

Regarding the security event monitoring tools used for real-time detection of security incidents, with particular reference to monitoring software, the Company stated that “following an assessment carried out in the first months of 2022 […] the need was identified to equip itself with: an asset management system; a SIEM, together with a 24-hour SOC service with a SOAR component (alert orchestration and event correlation); SSL certificates for domains registered in the name of the Company and new firewalls” (see minutes of XX, page XX).

From the documentation acquired during the activity, it is clear that at the time of the attack there were numerous vulnerabilities at the network level (“there is no segmentation at level three of network traffic. (…) No workstations (and) servers (are differentiated at the network level). (…) Many (users) had maximum administration rights. The database (…) is an XX that has many security holes. (…) Escalation techniques can be implemented. Various obsolete communication protocols are still active. (…) The VPN users were connected to the domain and those of the companies were also domain administrators”) (see attachment 1 to the minutes of the XX, pages XX and XX).

With regard to the methods by which security incidents are brought to the attention of the parties involved in various capacities and the process for managing security incidents in the event that they involve a breach of personal data, the Company specified that “at the time of the personal data breach, there was an operating instruction attached to the Regulation for the use of IT tools, (…) concerning incident management with a focus mainly on events reported by perimeter security systems and aimed primarily at IT personnel”; that “the Company has established by resolution (…) a privacy group which includes members of various Company structures, operational at the time of the personal data breach”; that “it has equipped itself with a software tool called “XX” for the management of the protection of personal data processed by the Company” and that “it has prepared a data breach procedure, included in the quality system and made known to all XX employees and also available on the intranet” (see minutes of XX, pages XX and XX).

In any case, it was highlighted that "for a year and a half before the XX, beyond the emergency event, the topic of cyber security had been the subject of planning that saw the Company engaged in a complex work of strengthening the security infrastructure and improving awareness of the risks associated with cyber attacks on users. (...) In November 2021, among the first in Piedmont, the Company had also conducted a survey, based on 110 questions relating to 9 domains and 35 control areas, to quantify the level of exposure to risk of the main sector areas and to compare them with sector benchmarks. The analysis then also suggested, also based on experience in the field of cybersecurity, companies with similar risk levels and guidelines for investment planning". “Since January 2022, starting from the analysis of the level of adequacy to the standard of the minimum levels of the AgID guidelines n.2/2017, we have already identified in the first quarter of 2022 the list of remediations to reach the level of full compliance with at least the minimum set and 95% of the standard set by 2023. This planning was then incorporated into the document “P 02_AgID minimum measures adjustment plan” of June 2022, a sector procedure of the ICT Area forming part of the documentary corpus of the Quality Management System” (see attachment 1 to the minutes of XX, pages XX and XX).

4. The measures adopted following the violation

4.1. Notification of the breach to the Guarantor

With reference to the measures adopted following the breach, the Company stated that “at a preventive level (the rules for accessing the Internet via the firewall) were further restricted”, “access as an administrator to users external to the company network (typically the maintainers of application providers) was limited”, “a joint analysis was initiated with the antivirus provider and with the partner managing the network and related active devices to verify potential vulnerabilities under their responsibility or containment actions” and, subsequently, that “the operational countermeasures implemented after the attack were the following: two-factor authentication system on each service accessible from the outside with particular reference to VPN, e-mail, cloud antivirus server and cloud antivirus clients. Domain management via XX (in particular, the administrator users have been reviewed and therefore considerably reduced by calibrating access based on the activities that the users must carry out) Firewall management Communications and reports to the relevant bodies (Postal Police, ACN, immediate communication to the general management and the operators involved with an operational decalogue of the actions to be implemented)” (see notifications of XX and XX, section XX, point XX).

4.2. Inspection activities

During the inspection activities, the Company declared that “following the report of the presence of the ransom note by the IT service, the RPD and the general management were contacted via an email containing information about the type of violation suffered, the content of the ransom note (request for ransom of published data). Subsequently, the report was made via the dedicated CSIRT service (ACN) and a complaint was filed with the postal police. Several communications were also sent both between the directors of the structures involved and to all the staff. (…) A further phase of investigation was then carried out (…); it was verified that the attacker did not persist in the network by remaining passively connected, the backdoor, in fact, was dismantled and no further evidence of persistence was detected”; that the “protection levels (of the workstations) have been progressively raised” and that “the backup of data and systems (mailboxes, file servers, management systems, etc.) has been consolidated with a [OMISSIS] type strategy” (see minutes of XX, page XX).

With regard to the file server involved in the personal data breach, the Company declared that “it is in an advanced stage of decommissioning and is currently accessible in read-only mode. This server has been replaced by a new file sharing infrastructure, with permissions and authorizations related to each reference structure that has a folder named with the code of the relative responsibility center. On this folder, the director of the structure has all the permissions (e.g. reading, writing, sharing, etc.) and manages the authorizations of his collaborators. In addition to this environment, the file sharing tool is available in XX, XX” (see minutes of XX, pages XX and XX).

With regard to technical and organizational measures, the Company also stated that "the plan for the structural strengthening of IT services originated following the assessment carried out at the beginning of 2022 (...) in which the main measures to be adopted were indicated, in order to mitigate the critical issues identified, indicating the hypotheses for the termination of activities (end of 2022) also useful for the purpose of distributing the necessary economic investments. Following the attack, the priorities of the plan were reviewed, with particular reference to: review of user authorizations, reorganization of the company XX (new domain controllers created, reduction of the number of users belonging to the admin group restricted to system administrators only, review of policies), segmentation plan of the network, both logical (VLAN) and physical of the various structures, purchase of an XX balancer for the management of incoming and outgoing traffic, load management and to create the VPN with MFA. In 2023, thanks to the PNRR funds: the SIEM and SOC service were activated, a WAF was acquired, the technological update of the XX VOIP switchboard equipment and infrastructure was carried out, the antivirus platform was updated (XDR module for endpoints and servers), a methodological support project was launched for the clinical engineering structure for the analysis of the security posture of connected electromedical devices and the management of the life cycle of the devices, in order to comply with the security requirements in the various phases (e.g. purchase, installation, maintenance); an XX asset management system was also acquired”. It was also declared that “an e-learning training course on cyber awareness topics was activated for all operators, in multiple modules with a final learning test, which has currently seen the active participation of approximately 45% of the staff. In order to make this measure fully effective, the aforementioned training activity has been included in the 2024 company objectives. Furthermore, the Company has joined the “Syllabus” training platform, made available by the Department of Public Function of the Presidency of the Council of Ministers”, “which has provided internal operating instructions for the correct reset of passwords and, soon, a portal will be available to automatically reset passwords in compliance with the rules established in the password policy” providing the document “Measures for Cybersecurity AOU AL – Milestone of the main interventions regarding the mitigation actions of risks associated with vulnerabilities on the Company’s IT security” (see minutes of XX, pages XX and XX).

Finally, with regard to the strategic plan, the Company “clarified that the current management began to operate at the end of 2021, in the midst of the pandemic. This strategic plan (..) is the result of the integration of the previous plan with two new guidelines: “return to normality” and “digitalization, cybersecurity and privacy”. Since April 2022, Eng. (…) has assumed responsibility for the IT structure, expert top professionals have been acquired and the privacy service has been strengthened and reorganized. A cross-functional group (IT, DPO, quality manager) coordinated by the administrative management has also been created” (see minutes of XX, page XX).

5.    Evaluations of the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code

With regard to the case described, the Office, on the basis of what was represented by the data controller in the notification of violation and what emerged during the inspection activity, as well as subsequent assessments, has notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the initiation of a procedure for the adoption of the measures pursuant to art. 58, par. 2, of the Regulation, inviting the aforementioned owner to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). In particular, with act no. 0059959 of 17 May 2024, the Authority considered that the Company had violated the principle of "integrity and confidentiality", pursuant to art. 5, paragraph 1, letter f), of the Regulation as well as the obligations regarding the security of processing (art. 32 of the Regulation).

The same Company has sent its defense briefs, pursuant to art. 166, paragraph 6, of the Code. In particular, with a note of XX, accompanied by substantial documentation, it clarified what was expressed in the notifications of violations and during the inspection activity, declaring that:

- in relation to the failure to adopt adequate measures to promptly detect the violation of personal data, "although at the time of the events the Company did not yet have an integrated SIEM (security information and event management) and a SOC (Security Operations Center) service for 24-hour monitoring of alarms, the Company was equipped with a monitoring service for the logs of corporate firewalls, as part of the adhesion to the CONSIP SPC Cloud Framework Agreement lot 2, with the subject: "Cloud Computing, security, creation of portals and online services and application cooperation services for public administrations - ID SIGEF 1403", awarded to the R.T.I composed of XX (agent) and IBM SpA - SISTEMI INFORMATIVI S.r.l. - XX Spa (principals), approved with Resolution no. 857 of 09/13/2017, then renewed with Management Decision no. 2032 of 12/29/2021 until the end of 2023” (…). In particular, the service in question provided, through the use of the “XX” solution and XX” services (provided by XX as a subcontractor in the scope of the supply in question for which XX was the successful tenderer), guaranteed the characteristics necessary to identify threats brought to the company network and network analysis activities in step with changes in the network or the Company in general. Furthermore, from the first days of XX, approximately three weeks before the attack notification, the XX solution had been installed, a centralized platform for the aggregation and analysis of telemetry data in real time for threat detection and compliance. XX collected event data from firewalls and some of the machines in the company Data Center, supporting the reconnaissance performed with the support of the ACN team after the attack was reported to reconstruct the attackers’ lateral movements. After the attack, the investment was implemented to install the SIEM (Security information and event management), a system for managing information and security events that, by analyzing the logs relating to devices connected to the network infrastructure, allows the management and development of operational countermeasures to potential threats and vulnerabilities. The investment was already planned at the time in the company planning stage as part of the interventions fundable by measure 1.1.1 DEA Digitalization, Mission 6 of the PNRR”; 

- in relation to the failure to adopt adequate measures to guarantee network security, “at the time of the attack, the company network (was) structured on a single native VLAN, also used for client and/or server data traffic. Aware of the criticality that this configuration represented, the Hospital Trust, as part of the development of the strategic plan 21 – 24 – strategic area cybersecurity (…), started a mobility procedure in March 2022 (…) with specific cybersecurity system skills, to coordinate the assistance and maintenance services of the company network and its perimeter security components. This role in the Company was no longer covered as of 06/17/2020,” (…) and the definitive hiring of the candidate found to be most suitable for experience and competence was possible only as of XX, practically less than a month before the notification of the attack suffered. It should be noted that, immediately after the attack, and thanks also to the design expertise of the senior system administrator finally integrated into the ICT Area organizational structure, a remediation plan was prepared based on the following three conceptual pillars:

• segmentation at a capillary level, with a logical network for each floor cabinet, a VLAN for electromedical devices differentiated by specialty of use (one for radiology biomedical devices, one for laboratory medical devices, one for radiology workstations, one for general medical devices) and dedicated VLANs for services that could in some way put corporate security at risk through direct exits to the Internet, typically for remote assistance services or to implement monitoring on cloud platforms.

• Securing communication between one VLAN and another, through appropriate ACL (Access Control List) filters to limit traffic. The company infrastructure allows the use of an equal ACL for each VLAN in order to increase performance. It was very important to prohibit RDP (Remote Desktop Protocol) traffic to central servers, with the exception of authorized ones (for example terminal servers).

• Implementation of an automatic VLAN management system, through the implementation, [OMISSIS], in order to authorize access to the company network only to authorized machines. With this mechanism it is possible to isolate unauthorized ones and activate blocking policies towards those network ports that have been compromised by an unauthorized MAC address”;

- “this planning (…) is being implemented”;

- in relation to the IT authentication procedure, “the proliferation of the number of VPNs enabled in the two-year period of management of the COVID-19 pandemic (activation of smart working stations), has certainly worsened the security posture of the network infrastructure. That said, there is no doubt that, at the time of the attack, the active VPNs did not have two-factor authentication. In any case, it is important to highlight the immediate responsiveness of the infrastructure immediately after the attack notification, implementing the MFA (Multi Factor Authentication) system, [OMISSIS] already within the first half of January. Furthermore, a VPN redesign plan has been prepared with the following logic:

• creating a real separate LDAP server and implementing ACLs for each user/company, so that access is governed by the Role Based Access principle.

• Implementing a series of accesses via terminal server to the main web application services of the hospital, managed by the balancing system;

• Starting training and information activities for users, so as to make users aware of the importance of not all services provided on the local network being reachable outside the company network”;

- in relation to the obsolescence of the basic software installed on some processing systems, "although the update of the patch relating to the CVE indicated in the attached report following the data breach notification then occurred following the attack itself, to date there is no evidence that the vulnerability found on the firewall was the direct cause of infiltration into the corporate network. Indeed, it is much more likely that there is not a single direct cause, but that it was the combined effect of the causes already explained in the aforementioned report that determined the vulnerability. Despite this, aware of the importance of acquiring an inventory & asset management system that would allow the management of updates and vulnerabilities of the installed fleet, the Company, with an order on the MEPA (Electronic Market for Public Administration) platform in September 2022 (therefore a few months before the attack), had started the process of acquiring and subsequently installing a platform for the discovery of all devices connected to the network, the assessment of the CVSS vulnerability risk index and the management of the CVEs connected to each of the assets themselves, OMISSIS”; 

- “the current strategic management, established in AO AL in June 2021 in a context still characterized by the exceptionality linked to the pandemic emergency, strongly wanted a decisive change of pace on the digitalization and cyber security front. This emerges first of all from the revision of the Strategic Plan (resolution no. 196 of 04/29/2022 - PIAO approval), with which we wanted to give on the one hand a signal of substantial continuity with respect to the previous plan, on the other a signal of strong discontinuity on two aspects considered fundamental: 1. Digitalization and skills, and a strong push towards cybersecurity and privacy (Strategic Area 1 - "C - Skills and digitalization"); 2. preparatory actions for exiting the pandemic and returning to "normality" (Strategic Area 2 - "O - Order after the storm"). Within the two strategic areas implemented, digitalization is the one on which the company has decided to set a priority strategy, and of the main guidelines, "Cybersecurity, transparency and privacy" takes on significant relevance";

- in relation to the main actions undertaken and the organization and equipment in the ICT Area, "during 2022 and more fully during 2023, the AO-AL consolidated both the technological components of its network infrastructures (both data and voice), and the skills of the related staff. One of the first actions launched at the beginning of 2022 concerned the profound reorganization of the ICT area. Starting from the change at the top of the structure (...) the structure was strengthened, with the hiring of an additional analyst manager and with the hiring of a Technical Collaborator cat. D expert in networks and cybersecurity. With the new act, the S.C. "ICT Area" also acquired the responsibility of the SS Clinical Engineering, changing the name to S.C. "ICT and Technological Innovation" and thus creating the conditions for a complete integration between two worlds now interconnected and integrated on the digital. The professional role of “ICT infrastructure and cybersecurity management” has also been identified and, starting from January 2023, the role of “Management and optimization of company software installations” has been assigned to the manager of the ICT structure;

- in relation to the main actions undertaken and the organization and provision in the Privacy Area, “with resolution no. 420 of 27/07/2021, the “Corporate privacy working group” was established with specific tasks expressly indicated and “with the revision of the company act, the new Privacy Service was created, in staff to the Strategic Management” which deals with specific certain aspects;

- “a collaboration has been started with CSI Piemonte (in-house company of the Piedmont Region of which the AOU is a member) for “support activities in the GDPR context” (….) in the application of the “Accountability” principle provided for by REGULATION (EU) 2016/679”, with respect to specific needs expressed;

- in relation to the nature, severity and duration of the violation "the violated system is that of the shared folders in environment XX of the PdL (Work Stations) network of the Hospital Trust. The shared folders constitute a company system in which it is possible for employees to store documents, spreadsheets, presentations, and more generally any file useful for the organization of work. Theoretically, within said system there should only be documents for individual productivity purposes (therefore files for the organization of departments, work documentation, but not pertaining to patient activities), while the health data relating to the clinical pathways of patients should be managed only through the company applications that generate the electronic health records. In practice, however, there were also health data in it (e.g. copies of reports, tests, etc.), although it should be specified that these were non-indexed files, considered more as "working copies" than elements of treatment management"; - "the issue is therefore linked to a more conscious use by hospital employees of the File Sharing environment and IT infrastructures in general and the associated risks in terms of failure to comply with the principles of protection of the processing of health data and IT security. See in this regard the section relating to the communications sent at least monthly by the Management to all medical staff regarding the reminder to use the file server for their own purposes in the chapter dedicated to the organizational measures implemented following the attack notification. In any case, the days that passed following the attack (starting from January 2, 2023) were spent analyzing, with the support of the National Cybersecurity Agency (ACN), and the support of a SOC (Security Operations Center), immediately engaged by the Company's ICT service for support on log analysis and remediation activities, the movements of the attackers in the systems of the Company's network infrastructure, in order to identify the method of first access"; - “the one at AO AL is part of a national context well described by the authoritative CLUSIT 2024 report, in which the healthcare sector in 2023 was the fourth sector most affected by successful and publicly available cyber attacks, after Manufacturing, Professional/Scientific/Technical and ICT, with a percentage of the total incidents recorded of 9%. This percentage has quadrupled compared to the analysis period of the same report of the previous year, in which the healthcare sector constituted 2.2% of the attacks suffered by the reference IT infrastructures”;

- “the AOU (…) has made available all its email inbox channels and toll-free number to manage any possible contact with those affected by the breach of confidentiality. To date, no reports, appeals, complaints or formal notices have been received. From an infrastructural point of view, starting from day XX, the date on which a DFIR (Digital Forensic & Incident Response) team from the National Cybersecurity Agency was seconded to the Alessandria Hospital Health Authority to provide technical support in the analysis and restoration of services, and for approximately 30 days after, the following operations were introduced as immediate operational countermeasures to mitigate the effects of the breach: • Blocking of data traffic outside of Italy; • two-factor authentication on each service accessible from the outside (MFA – Multi Factor Authentication technology), with particular reference to access to company email accounts and access to the company network from the outside via VPN (Virtual Private Network); • Activation of two-factor authentication of the antivirus system console, both on the endpoint and server side, which was not active at the time of the attack; • Consolidation of the company XX system, drastically reducing, first of all, the number of users in the domain admin group, […] therefore also excluding service users.In addition, the copy of the folders was restored, the pre-existing domain controller was deleted and two new domain controllers were created on an environment with an operating system updated to XX read and write plus two read-only domain controllers, inserting the first ones in a new VLAN with dedicated DNS services. The XX password was reset twice. The main vulnerabilities were monitored daily with the XX application and the related security changes were made. This activity was performed in collaboration with the technical support of the ACN technical team”;

- in relation to the technical and organizational measures implemented pursuant to Articles 25 and 32 of the Regulation: before the attack, “beyond the emergency event, the topic of cyber security had been the subject of planning that saw the Company engaged in a complex work of strengthening the security infrastructure and improving awareness of the risks associated with cyber attacks on users already in the period between the end of 2019 and the beginning of 2022. The main activities from which the attention and planning efforts are evident are reported below: 

• December 2019: acquisition, in a logic of technological refresh of the previous solution, of a security platform for the protection of Endpoints, Servers and mobile devices with Antimalware, Firewall, Intrusion Prevention System, Encryption and Application Control functions. The identified solution, the “XX” products are included by Gartner in the famous report called “Magic quadrant for endpoint protection platforms” in the box reserved for “Leader” technologies, the top right quadrant (see in this regard the Management Determination n. 518 of 03/30/2020 …);

• July 2020: activation of the FAD training course “GDPR Course - EU Regulation 2016/679 – and IT security”, included in the company training plan for the years from 2020 to 2024 with 4 ECM credits. The course was configured as a basic course for all employees and external parties available on the ECM Piemonte platform;

• July 2021 in compliance with and pursuant to art. 36 of the GDPR, XX carried out a “data protection impact assessment” activity (…). The DPIA was intended to support the data controller in defining strategies for the protection of the analyzed data (in particular DSE, Processing of data relating to the health of patients and users of internal medicine services and Emergency urgency, Management control). The analysis also highlighted the security and technical measures necessary to mitigate the risk that were included in a Risk Treatment Plan and a short-term action plan to ensure the protection of personal data relating to the processing subjected to impact assessment;

• November 2021: participation, as part of a regional initiative to analyze the levels of IT risk for insurance profiling purposes as the Lead Company, in an assessment promoted by XX. The assessment activity was based on the compilation of the questionnaire [OMISSIS]. The cyber risk assessment, despite its partial randomness, having been based solely on the response to the questions in the questionnaire and given the complex nature of the topic, made it possible in any case to quantify the level of exposure to risk of the main sector areas and to compare them with sector benchmarks. Furthermore (…) the Company received in the communication of sending the report in question, confirmation that the path taken was a significant change of pace and highlighting that "many of the activities recommended in the XX report are in line with the mitigation path started, denoting the excellent awareness and willingness to intervene to improve the situation"; 

• December 2021 - January 2022: activation of a training course, now in its third edition in 2024, of cyber awareness, i.e. conscious use of IT infrastructures and tools to develop in employees a clear awareness of cyber risks through the advanced use of multimedia systems and the real involvement of all users;

• January 2022: start of an assessment, concluded in August 2022, of the level of vulnerability ("Vulnerability Assessment"), in order to then be able to plan the main corrective and consolidation actions. In particular, the study allowed to identify the vulnerabilities present on the target systems and to define a remediation plan, based on the criticality of the identified security problems and therefore giving the correct priority to the patching activities. See in this regard the document “Vulnerability Assessment 2022” (…). This remediation plan was then integrated, in June 2022, into the ICT services sector Procedure, by developing a document, then integrated into the Quality Management System of the service itself, which aligned these countermeasures with the adaptation to the standard security measures contained in the AgID Guidelines as per Circular of 18 April 2017, no. 2/2017. The document also contained a preliminary planning of the consolidation activities and corrective actions for the recovery of the anomalies detected by the third quarter of 2024. See in this regard the procedure "P 02_Piano di Adattamento misure sicurezza AgID";

• March 2022: (..) investment planning PNRR Mission 6 component 2, investment 1.1.1, where (…) investments were planned, to acquire know-how and technologies necessary to enhance the infrastructural and application security of hospital systems" and "revision of the Sector Procedure of the SC Area ICT and simultaneous dissemination to the company user population. The communication also contains a brief but exhaustive summary of the best practices to be adopted for greater awareness by the Company's employee users in the use of credentials and IT tools in general (…);

• August - October 2022: integration into the document corpus of the Quality Management System of the ICT Area of the operating instructions, developed at the same time as the Vulnerability Assessment of January 2022, relating to: Change Management - IO_2 (…); Management of Server Images and PdL – IO_3 (….); Security Incident Management - IO_4 (…); Vulnerability Management – IO_5 (…); Management of communications to and from the ICT Area sector – IO_6;

• September 2022: sending of a communication by the General Management to maintain adequate behavioral rules in the use of the company File Sharing environment, following the notification by the ICT Area SC of illegal activities. The communication also recalled the recent violation that occurred at the ASL Città di Torino, reiterating the importance of orthodox behavior for the protection of hospital cybersecurity. See the note with protocol number 19678 of 05-09-2022 (…), which reiterates that the file server system, the object of the attack, is “intended to contain only work files, and not other documents such as personal documents of patients (exams, reports in Word, etc.)”;

• September 2022: gap analysis for compliance with the ISO/IEC 27001:2013 standard. The analysis was aimed at evaluating the status of the processes currently implemented at the Hospital Trust (regulated by the Quality Management System in accordance with ISO 9001:2015) and the consolidated practices in use among the staff and evaluating the gap currently present with respect to their compliance with the ISO/IEC 27001:2013 standard, for possible future implementation. The conclusion of the report highlighted how, following the interviews carried out, it was possible to deduce that the state of implementation of the processes was quite advanced, especially in reference to the daily activities of the ICT Area, which in all likelihood "will constitute the heart of the future certification according to ISO/IEC 27001" (...);

- in relation to the technical measures implemented following the attack notification, "following the analysis carried out in conjunction with the ACN DFIR group, (...), the main corrective actions implemented are reported below: 1. Two-factor authentication system on each service accessible from the outside, with particular reference to: VPN: 1. Corporate VPNs are based on XX technology. They did not have two-factor authentication. It was implemented using the OTP (One Time Password) XX technique. The user's personal email address was used as the email address, or in any case not that of the domain involved, i.e. XX. English: At the same time, a complete redesign of the VPNs was started and is still underway, creating a real separate LDAP server, also implementing an ACL for each user/company, in order to fully implement a Role Based Access Control type of access; email: 1. Email is based on XX technology. All the filters and antispam part is managed by XX. Inside the hospital there is only one server that syncs with XX. The XX domain is replicated (like email). The obsolete and poorly functioning connector was redone on a new server and the latest release of XX; cloud antivirus server: since one of the most significant vulnerabilities that allowed the launch of the executable to spread the ransom note on company PCs was eliminated, the possibility of accessing the company antivirus console, via administrator user, was eliminated, the MFA was requested from the supplier, now inserted. Also in this case, the accounts are based on XX mail in order to avoid the single point of failure; cloud antivirus client; 2. Domain management via XX: Use of specific tools with ACN support for XX analysis (XX, XX) and for monitoring domain risk indicators (XX; administrator users have been significantly reduced, as per best practice for the use of XX, thus calibrating access based on the activities that users must perform (according to the ROLE BASED ACCESS CONTROL approach); division of administration roles, workstations, domain, centralized servers, external company servers; 3.Firewall management: closed all direct access to the Internet deemed not essential; vulnerability update; filter on traffic outside Italy; strengthening of the log collection and analysis activity; 4. user management: internally developed a portal, for the autonomous management by employees of the domain password reset (to access PCs and mail), available at an https internet link. The link to this page is also made available on the Intranet, and offers users the possibility of changing or resetting the password, without involving the administrator or the help desk, also setting a secret question and answer secondary password recovery email in case of loss. It is also functional to keep the employee personal data updated, thus reducing the risk associated with access with users no longer in use”;

- in relation to the vulnerability found downstream of the attack, concerning the "lack of segmentation at level three of network traffic, including the differentiation between a workstation and a server", the resolution action was: "immediately after the attack, new VLANs were implemented with associated ACLs for security. The cleanup of the old VLANs is being completed XX";

- in relation to the vulnerability found downstream of the attack, concerning the "management of user access levels not in line with the principle of least privilege, given that approximately 130 users had maximum administration rights", the resolution action was: "the domain administrators were reduced to four, corresponding to the infrastructure system administrators";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of an Asset and Inventory management system for the management and identification of machines, even offline", the resolution action was "XX were used during the attack. Currently, the Company uses the XX solution";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of organizational procedures for the insertion of machines into the network or of a form for the management of the underlying VPN requests and identification rules", the resolution action was: "revised the Workstation regulation and created forms and procedures for the storage of forms and requests";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of a procedural connection between the database of the application that manages the employee records and the assignment of company work tools in a manner proportional to the contractual classifications, and therefore to the levels of responsibility envisaged for each profile", a "portal was created that connects the personnel records to the network accounts. It provides privileges and licenses based on the job";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of a centralized system for managing users and consequently for managing passwords", a "portal was created that connects the personnel records to the network accounts. It provides privileges and licenses based on the job";

- in relation to the vulnerability found downstream of the attack, concerning the “non-optimal organization of the XX identity management system, with the insertion of many of the users of the employee records within multiple groups with various access privileges, with the possibility of implementing escalation techniques”, the “group system and related authorizations were reviewed with the support of the XX application”;

- in relation to the vulnerability found downstream of the attack, consisting in the fact that “obsolete communication protocols were still active, including smbv1 and NTLMv1”, 90% of the servers with smbv1 protocols were eliminated and procedures were initiated with suppliers to clean up the rest”;

- in relation to the vulnerability found downstream of the attack, consisting in the fact that "for the management of the assistance and maintenance activities of many applications, service users with administrator privileges were configured, determining the impossibility of reducing the level of privileges of the same, under penalty of interruption of availability of the related services" and that "many users for access to the VPNs granted to the companies providing application assistance services were connected to the domain and/or also domain administrators" "double authentication vpn and XX" was created and "domain administrators were remediated";

- "with regard to structural investments, beyond the operational countermeasures to contain the exposures found downstream of the attack, the AOU of Alessandria has started investments aimed at activating control services and acquiring perimeter security systems" (...) which have affected numerous profiles; 

- in relation to the organizational measures implemented following the attack notification, "first of all, a series of internal communications and reports to the relevant bodies were started as specified below: • immediate reporting to the Postal Police and the ACN; • preliminary reporting of the data breach to the Guarantor Authority within 72 hours as per the Regulation; • immediate communication to the General Management and from there to the healthcare operators involved with an operational decalogue of the actions to be immediately implemented to counter the risk. In this regard, the communications sent to XX by the company are reported regarding: 1. the invitation to all employees to restart company PCs and follow the instructions for generating a new access password according to the good practices also reiterated in the company regulations. See in this regard the email from XX of the Director of the I.C.T. Area Structure (...); 2. contact with the technical contact of the company from whose generic user account for assistance activities on the haematology application installed on the AOU of Alessandria servers the attackers' access movement was found, as highlighted by the report produced by the ACN team. See in this regard the email of XX from the Director of the I.C.T. Area Structure (…); 3. Communication to all employees of the General Management containing provisions on IT security (…); 4. communication to all employees of an update on the recovery and consolidation activities in progress following the attack (…); 5. revision of the company regulations, formally approved with Resolution of the General Manager no. 150 of XX on the correct use of the I.C.T. infrastructure of the AOU of Alessandria and related information to all employees (…); 6. creation of the new company File sharing infrastructure and new provisions on its use with information to all employees (…); 7. further sharing of the new company regulation and request to activate the users for the new company File Sharing system to the hospital users (…); 8. Communication to all employees of the General Management containing provisions on IT security (…); 9. further request to activate the users for the new company File Sharing system to the hospital users (…); 10. Communication to all employees of the General Management containing requests to comply with the provisions on IT security (…); 11. Activated the "block" function of XX and sent information to the hospital users (…); 12. Reporting of other phishing attacks (…); 13. Activated a massive communication campaign aimed at employees on "cyber security";

- “regarding organizational and procedural measures: the company regulation containing provisions for the safe use of the Company's ICT infrastructure has been adjusted, (...) “Approval of the 2023 company regulation for the use of ICT services”. This revision introduces new criteria for profiling company users according to the principle of the least possible privilege, updates the user request forms, defines the new rules for accessing the new File Sharing and company mail system, and exemplifies the methods of accessing the VPN with MFA (Multi Factor Authentication) authentication technology. It also reiterates the conscious use of access passwords and their constant review according to good generation practices to prevent them from being trivial and easily identifiable”;

- “adequate operating instructions and guidelines have been prepared for the Integrated Management of updates to electromedical devices and for the periodic monitoring of vulnerabilities from the recently acquired MDSP platform”;

- “contractual annexes have been prepared for current and future initiatives for the procurement of applications and electromedical devices to be connected to the network in such a way as to manage, already in the drafting phase of the tender specifications or definition of the Purchase Order, information elements such as the requirements of the security process, the initial determination of the risk of the device, the communication scheme”;

- “during the inspection activity (…), a substantial series of documentary supports were argued and found for a precise and timely reconstruction of the event of the XX, minutely following the collaborative requests of the officials and receiving their indications to confirm or implement all the steps necessary for the overall and complete weighted evaluation of the activities implemented to resolve the problems underlying the hacker attack and facilitate the correct determination of the consequences and the effects on personal data and on the rights and freedoms of the interested parties potentially involved.The Company has also maintained a constant collaborative relationship with ACN (...);

- "the categories of data impacted by the violation are personal data (name, surname, gender, date of birth, place of birth, tax code), contact data (postal or email address, landline or mobile telephone number), access and identification data (username, password), health data for users, suppliers and patients as well as employees. As regards employees, the impacted data consists of documentation relating to the normal economic activities inherent to them and any additional personal content stored in the file server folders";

- “the Company (…), has acted in recent years in a context of particular cyclical criticality: • The SSR of the Piedmont region only in 2017 left the Recovery Plan conducted in collaboration and under the supervision of the MEF, the so-called “Tavolo Massicci”, which led to a strong contraction in the flow of expenditure in the current part and in the investment account, with heavy cuts to personnel with a total freeze on hiring for 7 years in technical-administrative roles that have greatly impoverished IT HR in a field of strong technological development; the cuts were also made in the sector of purchasing ICT goods and services and in their adaptation to the new IT achievements on which the various spending review interventions were grafted. • The Covid-19 contagion, which hit the Alessandria area with particular speed and severity since January 2020, given the close geographical proximity to the area where it first spread, has led to further difficulties in the management of the IT sector called to the front line to deal with the pandemic emergency, slowing down the processes of adapting IT systems to higher levels of security desired by the company's strategic management for the best protection of personal data. The Covid pandemic emergency ended, as per WHO provisions, on 5/5/2023";

- "despite this context of "extraordinary" management, the company has managed, among other things, to launch an ambitious plan to redesign its IT - information infrastructure, starting from 2021, with significant investments in hardware, software and human resources, with a strategic plan that sees digitalization and particular attention to cybersecurity as one of the founding elements. The malicious hacker attack came at a time when this plan had been launched and was being implemented with the resources that were finally available (also thanks to the PNRR), determining the subsequent acceleration of the risk mitigation plan necessary in light of the development of technologies and data processing systems";

- "the notification of infiltration into the hospital network and the consequent analysis of the vulnerabilities that allowed this event abruptly accelerated a series of changes whose necessity and urgency, especially with respect to the configuration situation of the previous infrastructure, the Management was absolutely convinced, and for which a process of profound restructuring and re-engineering was underway, with significant investments started. These activities sought (...), not to limit themselves to the pure and simple acquisition of technology, but, on the contrary, to start from the organizational dimension of IT security, which is far more relevant than the technical one. On the basis of this awareness, the roles and profiles of access to the network of operators have been clearly constructed, not only technical-administrative, but above all healthcare, the management rules have been defined according to which certain data can be conveyed only through certain channels (certified applications and not shared folders on the File Server, for example), a strong commitment mechanism has been activated by the Management as a whole (through the assignment of specific objectives in the Performance Plan to the entire organization), and not only by the person responsible for information systems, so that the vulnerability response plan is not oriented to the emergency, but the management of the aspects of personal data security and privacy protection are an integral part of the working conduct of each employee”.

6. Outcome of the investigation

Having taken note of what was represented by the Company during the proceedings, it is noted that:

- “health data” means “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her state of health” (Article 4, paragraph 1, no. 15, of the Regulation);

- personal data must be “processed in a manner that ensures appropriate security (…) including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (principle of “integrity and confidentiality”, Article 5, paragraph 1, letter f), of the Regulation);

- Art. 32 of the Regulation, concerning the security of processing, establishes that "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (...)" (par. 1) and that "when assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (par. 2).

- the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023 also clarify that “the ability to promptly identify, address and report a breach must be considered an essential aspect” of the technical and organizational measures that the data controller and processor must implement, pursuant to art. 32 of the Regulation, to ensure an adequate level of security of personal data;

- according to Recital no. 87, “it is appropriate to verify whether all appropriate technological and organizational protection measures have been implemented to establish immediately whether there has been a personal data breach and to promptly inform the supervisory authority and the data subject”.
7. Conclusions: declaration of unlawfulness of the processing.

In light of the above, it is noted that the processing carried out in the context in question requires the adoption of the highest security standards in order not to compromise the confidentiality, integrity and availability of the personal data of a very significant number of data subjects. This, also taking into account the purposes of the processing and the nature of the personal data processed, including those belonging to particular categories and, in particular, health data. In this regard, the security obligations set out in the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, letters a) to d), all those necessary to mitigate the risks posed by the processing.

On the basis of the assessments referred to above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Garante, declares or certifies false information or circumstances or produces false acts or documents shall be liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor” the elements provided by the data controller in the defense brief referred to above, although worthy of consideration, do not allow to overcome the findings notified by the Office with the aforementioned act of initiation of the procedure, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply.

From the examination of the information and elements acquired as well as the documentation provided, the processing carried out by the Company appears to be unlawful, as it was carried out in violation of art. 5, par. 1, letter f) and 32 of the Regulation, in relation to the profiles reported below.

7.1. Failure to adopt adequate measures to promptly detect the breach of personal data

During the investigation, it emerged that the malicious individuals carried out a series of operations preparatory to the cyber attack and that “the Company did not have a log management system” (see minutes of XX, pages XX and XX and of XX, page XX). From the documentation in the files, it is clear that “the management of the emergency after the attack required the acceleration of some of the measures subject to […] planning” with particular reference to the SIEM (Security Information and Event Management) to be connected to “external SOCs used as services to supplement the office hours in force at the service, in order to guarantee 24/7 coverage of the control, analysis and remediation support activity” (see Annex XX to the minutes of XX, page X). The deficiency highlighted did not allow the Company to promptly detect and become aware of the breach of personal data that occurred.

Failure to adopt adequate measures to promptly detect personal data breaches does not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, taking into account the provisions of the aforementioned Guidelines, requires that the data controller and data processor must implement measures to “promptly identify […] a breach”. 

7.2. Failure to adopt adequate measures to guarantee network security and obsolescence of basic software installed on some processing systems

During the investigation, it emerged that the Company had not adopted adequate measures to segment and segregate the networks on which the workstations of its employees were located, as well as the systems (servers) used for processing. In fact, as also highlighted by the Company during the inspection activities, "the network was substantially flat, there was no logical or physical segmentation" and the workstations and servers were not differentiated at network level (see minutes of XX, page XX and attachment XX to the minutes of XX, pages XX and XX).

Furthermore, at the time the personal data breach occurred, remote access, via VPN, to the Company's network, occurred through a computer authentication procedure based only on the use of username and password. In relation to this aspect, the Company specified that "a multi-factor computer authentication (MFA) procedure was not foreseen for remote access in VPN. (...) The "maintenance" users were often generic, not individual, with maximum administrative privileges" and that "although instructions had been provided to the staff regarding the choice of password, inspired by good industry practices, no system configuration was foreseen that incorporated such instructions. The users who performed the administrator functions used different users, depending on whether they were personal domain users or users with administrative privileges. In the latter case, the credentials, which did not have a specific password policy, were generally shared between the different administrators" (see minutes of XX, page XX). With reference to this profile, the Company, following the incident, deemed it necessary to "activate the MFA, certify the VPN and identify named users (using specific forms), in compliance with the principle of "minimum privilege"".

During the investigation, it emerged that "it is presumed that the attacker may have exploited a vulnerability relating to the perimeter firewall XX [and] that the version of the operating system of the firewall XX was vulnerable" and that "various obsolete communication protocols were still active". In relation to this aspect, the Company, following the incident, proceeded with the technological updating of the equipment and infrastructure.

The failure to implement, at the time of the violation, adequate measures to guarantee the security of the networks and the use of obsolete basic software, for which security updates are no longer available, does not appear to be fully compliant with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, requires that the data controller and the data processor must implement measures to “ensure on an ongoing basis the confidentiality, integrity, availability and resilience of processing systems and services” (letter b)).

8. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of arts. 5, par. 1, letter f) and 32 of the Regulation, caused by the conduct carried out by the Company, entails the application of the administrative pecuniary sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to “impose an administrative pecuniary sanction pursuant to Article 83, in addition to the (other) (corrective) measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case”, by adopting an injunction order (Article 18 of Law No. 689 of 24 November 1981), in relation to the processing of personal data carried out by the Company, which has been found to be unlawful, in the terms set out above.

Considering it necessary to apply paragraph 3 of Article 83 of the Regulation where it provides that “if, in relation to the same processing or connected processing, a data controller […] violates, with intent or negligence, several provisions of this Regulation, the total amount of the administrative pecuniary sanction shall not exceed the amount specified for the most serious violation”, the total amount of the sanction is calculated so as not to exceed the maximum amount set out in the same Article 83, paragraph 5.

In light of the above and, in particular, of the category of personal data affected by the violation, which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60), despite the unintentional nature of the violation (the episode appears to have been caused by malicious conduct by a third party, formally reported to the postal police). 

Having said this, certain elements are assessed as a whole and, in particular, that:

- the Guarantor became aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation and no complaints or reports have been received regarding the violation that is the subject of this provision (Article 83, paragraph 2, letters h) and k) of the Regulation);

- the data controller, in order to avoid the repetition of the event that occurred, has undertaken to introduce measures aimed at reducing the replicability of the event that occurred and has cooperated with the Authority in every phase of the investigation, including the inspection phase, in order to remedy the violation and mitigate its possible negative effects (Article 83, paragraph 2, letters c) and f) of the Regulation);

- the management of the pandemic emergency has made it necessary to strongly involve the IT sector, with the consequent significant slowdown in the systems adaptation processes (Article 83, paragraph 2, letter k) of the Regulation).

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to determine the amount of the pecuniary sanction in the amount of € 25,000.00 (twenty-five thousand/00) for the violation of Articles 5 and 32 of the same Regulation, based on the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere, pursuant to Article 83, paragraph 1, of the Regulation.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This, in consideration of the type of personal data subject to unlawful processing and the number of interested parties involved.

GIVEN ALL THE ABOVE, THE GUARANTOR
 

pursuant to Articles 57, paragraph 1, letter f) and 83 of the Regulation, finds the unlawfulness of the processing carried out by the Azienda Ospedaliero-Universitaria SS. Antonio e Biagio e Cesare Arrigo, with registered office in Alessandria, via Venezia, 16 – 15121 - C.F. – P.I. n. 01640560064, within the terms set out in the reasons, for the violation of articles 5 and 32 of the Regulation;

ORDERS

pursuant to art. 58, par. 2, letter i) of the Regulation, to the same Company, in the person of its legal representative pro-tempore, to pay the sum of Euro 25,000.00 (twenty-five thousand/00) as an administrative pecuniary sanction for the violation indicated in this provision.

ORDER

the aforementioned Company to pay the sum of Euro 25,000.00 (twenty-five thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website;

c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged before the ordinary judicial authority, under penalty of inadmissibility, within thirty days of the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 October 2024




THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE GENERAL SECRETARY
Mattei


[web doc. no. 10086523]

Provision of 17 October 2024

Register of provisions
no. 621 of 17 October 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA


IN TODAY’S MEETING, which was attended by Prof. Pasquale Stazione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the councilor Fabio Mattei, general secretary;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, “General Data Protection Regulation” (hereinafter the “Regulation”);

SEEN Legislative Decree no. 196 of 30 June 2003, containing the “Personal Data Protection Code”, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the “Code”);

SEEN Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”;

SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution no. 98 of 4/4/2019, published in the Official Journal no. 106 of 8/5/2019 and in www.gpdp.it, web doc. no. 9107633 (hereinafter “Regulation of the Guarantor no. 1/2019”);

SEEN the documentation in the files;

SEEN the observations formulated by the general secretary pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, web doc. no. 1098801;

Rapporteur Dr. Agostino Ghiglia;                    
 

WHEREAS

 

1.    The violation of personal data

On XX the SS. Antonio e Biagio e Cesare Arrigo University Hospital of Alessandria, hereinafter “Company”, transmitted to the Authority, pursuant to art. 33 of the Regulation, a notification of personal data breach - integrated with notes of XX and XX - regarding a cyber attack on the Company's information systems caused by a ransomware malware "Ragnar Locker".

Given the high number of data subjects involved and the nature of the personal data subject to the breach, it was necessary to investigate the circumstances in which the aforementioned personal data breach occurred, as well as the security measures adopted, through an inspection of the Company in January 2024.

2.    The fact

The personal data breach was described both in the notification made to the Authority, in several phases, pursuant to art. 33 of the Regulation, and during the aforementioned inspection. In particular, the following emerged.

2.1.    Notification of the breach to the Guarantor

Preliminarily, with the notification of XX, the Company declared that “the Company’s infrastructure was the subject of a cyber attack by a group that released a ransomware called “Ragnar Locker”” (see notification of XX, section XX, point XX).
Subsequently, the Company updated the information regarding the violation by declaring that “during the night between XX and approximately XX hours of the following day, the IT infrastructure of the Hospital Company (…) saw many of the PCs on its network invaded by a message notifying of a hacker attack by a group called "Ragnar Locker". The message states that the content exfiltrated from the shared folders would be subject to sale by third parties if there was no contact on the TOR channel for instructions within three days. It should be noted that the attack was limited to the part of the Hospital infrastructure containing data shared by users, i.e. files shared via file servers. The healthcare applications installed at the central company data center were not attacked. No software or user services were violated. Therefore, the hospital did not suffer any disruptions or limitations in the exercise of its institutional function” (see notification of XX and XX, section X, point X).
As regards the number of data subjects whose health data were affected by the attack, the Company stated that “the content of the violated folders is being evaluated as information was published on the TOR channel on XX by the "Ragnar Locker" group” and that the data subjects can be traced back to the macro-categories of employees, consultants and patients (see notification of XX, section XX, point XX).

2.2. Inspection Activities

During the inspection activities, the Company, with regard to the methods and timing of the attack, declared that "the workstations (PdL) and the file sharing system (used in fact as the only document manager) to which the PdLs were connected were the object of the attack" and, confirming what was already declared in the notification of personal data breach, "clarified that, from the reconstruction, carried out also thanks to the intervention of the CSIRT and the availability of the firewall logs, the first access attempts date back to XX, a period in which discovery activities and, therefore, lateral movement were detected and then the attack was launched, presumably, at the beginning of XX. From the aforementioned reconstruction, the point of origin, although there is no certain evidence as the Company did not have a log management system, seems to have been the exploitation of a vulnerability in the XX corporate firewall through which malicious individuals recovered some domain credentials and conducted lateral movements that, through an any to any VPN connection, allowed access to a company PC with an open VPN, privilege escalation to administrator, the download of credentials stored in the LSASS service, and finally the massive download of the contents of the file server to storage located in the Netherlands and the installation of an SSH backdoor. (…) All the folders on the file server were accessible from any PdL in the hospital. (…) The malicious individuals deactivated the antivirus and inoculated the executable code that downloaded the ransom note on the PdLs, although they did not proceed with data encryption”, (…) “from the reconstruction carried out, a user was used for the attack to access the VPN, belonging to the supplier’s staff, recovered from the XX firewall configuration file” (see minutes of XX, pages XX and XX and of XX, page X).

With regard to the extent of the violation with reference to the company’s healthcare and administrative-accounting applications, the Company declared that “the company applications had no impact and there were no disruptions or interruptions in the provision of healthcare services to the patients. For internal users, access was limited following the review of the user management policies and the assignment of privileges to administrators which, at the time of the violation, was not differentiated. This, both by custom and by operational simplification, also with reference to the suppliers of the applications and electromedical equipment that carry out their maintenance. The violation therefore only concerned the confidentiality profile" and intended to specify that "the hacker group Ragnar Locker, author of the attack, was dismantled, as per news reports" (see minutes of XX, page XX).

Also during the inspection activities, the Company declared that "it was not possible to estimate the approximate number of interested parties involved in the violation, as each structure had a shared folder on the aforementioned file server used both for the management of the departments but also for the storage of health documents. To understand the nature and content of these documents (also in relation to the type of data processed and interested parties involved), which were not indexed, a specific and non-automated file analysis activity would have been necessary. Initially, in fact, the individual structures had been given a mandate to operate in this direction but, following the huge amount of documentation to be examined and the priorities identified by the Region in the post-COVID period for the recovery of waiting lists, this activity was interrupted. The party specified that it is likely that among those interested there are also minors" (see minutes of XX, pages XX and XX).

3. The measures in place at the time of the violation

3.1. Notification of the violation to the Guarantor

With reference to the measures in place at the time of the violation, the Company declared that "through the training tool, in particular from XX, a cyber awareness course was activated to increase the conscious use of the tools including the sharing of documents and sensitive data XX or file sharing. In XX, the general management sent a note with the obligation to respect the rules of correct storage and sharing of files on file servers after having found seriously anomalous behavior in the use of the file sharing environment" (see notification of XX, section XX, point XX).

3.2. Inspection activities

During the inspection activities, the Company declared that “it has a Regulation for the use of the ICT infrastructure adopted in 2021 and updated in 2022 in which, among other things, instructions and indications were identified regarding password policies and the correct use of the file server. Furthermore, on 3 April 2023, the “Cybersecurity Decalogue” published on the company intranet was transmitted XX; (in addition, a) note (…) XX was sent to all staff in September 2022, which recalled part of those indications with particular reference to the correct use of the file server”; that “it has an ISO 9001 certified quality management system, through which any critical issues in the privacy area are also detected thanks to the customer satisfaction and internal audit process. In this regard, internal auditors have been specifically trained and the quality management system audit model is taken into account by the DPO team” and that “the configuration of the workstations (PdL) at the time of the incident included 70% of the XX operating system and the remaining 30% of the XX operating system. Following the violation, through the purchase plan of new PdLs in agreement with CONSIP, all workstations were progressively replaced. The antivirus software used for the PdLs and servers (XX) did not have different configurations for the different operating systems and allowed for profiling of the protection levels (more or less high). The expected protection level was lower on XX machines and, in particular cases, on some XX machines, in consideration of the potential negative impact on the operation of the machine and its performance also due to the hardware resources present (…) the perimeter security services connected to the management of the same Firewall were guaranteed within the framework of the CONSIP SPC 2 agreement; no security measures were adopted to protect and limit access to the memory area used by the lsass.exe process (Local Security Authority Subsystem Service - LSASS) such as hardening activities on the operating system (e.g. correct configuration of the relevant registry key. (…) Hitachi servers were used, acquired through direct assignment with management and maintenance by external resources. A technological update project for the data center and backups was subsequently activated, tested in March 2023 (…)”; that “at the time of the personal data breach, the tender for the implementation of the aforementioned project was being awarded” (see minutes of XX page XX and XX pages XX and XX).

Regarding the IT authentication procedures used in the context of VPN access and to the workstations in place at the time of the breach and the password policies envisaged for the different types of users, the Company, during the inspection activities, declared that:

- “a multi-factor IT authentication procedure was not envisaged (MFA) for remote access in VPN, used before the pandemic exclusively by suppliers and, subsequently, also by employees for the "remotization" of PdLs, after acquiring the list of personnel to be authorized. The "maintenance" users were often generic, not individual, with maximum administrative privileges. Following the incident, the following steps were taken: to activate the MFA, to certify the VPN and to identify nominal users (using specific forms), in compliance with the "minimum privilege" principle";

- "although instructions had been provided to the staff regarding the choice of password, inspired by good industry practices, no system configuration was envisaged that incorporated these instructions. Users who performed administrator functions used different users, depending on whether they were personal domain users or users with administrative privileges. In the latter case, the credentials, which did not have a specific password policy, were generally shared between the different administrators" (see minutes of XX, page XX).

During the inspection activities, in reference to the security measures in place at the time of the personal data breach, relating to network segmentation, the Company declared that "the network was essentially flat, there was no logical or physical segmentation and the network infrastructure was managed by external personnel as part of the services acquired through the aforementioned framework agreement; since December 2022, the Company has acquired an internal resource as a senior systems engineer specifically to manage the network design and review activities. Segmentation is currently planned for new installations and the existing infrastructure and over 6,000 connected devices are being adapted. At an organizational level, starting from July 2023, the clinical engineering unit has also been merged into the new complex organizational unit "ICT and Technological Innovation" for an integrated and more efficient management of electromedical applications and devices" (see minutes of XX, page XX).

With regard to the technical and organizational measures adopted to ensure the availability and resilience of processing systems and services, as well as the timely restoration of availability and access to personal data in the event of an incident, the Company stated that “the infrastructure dedicated to backup performed a periodic (typically weekly) screenshot of virtual machines without a retention policy” (see minutes of XX, page XX).

Regarding the security event monitoring tools used for real-time detection of security incidents, with particular reference to monitoring software, the Company stated that “following an assessment carried out in the first months of 2022 […] the need was identified to equip itself with: an asset management system; a SIEM, together with a 24-hour SOC service with a SOAR component (alert orchestration and event correlation); SSL certificates for domains registered in the name of the Company and new firewalls” (see minutes of XX, page XX).

From the documentation acquired during the activity, it is clear that at the time of the attack there were numerous vulnerabilities at the network level (“there is no segmentation at level three of network traffic. (…) No workstations (and) servers (are differentiated at the network level). (…) Many (users) had maximum administration rights. The database (…) is an XX that has many security holes. (…) Escalation techniques can be implemented. Various obsolete communication protocols are still active. (…) The VPN users were connected to the domain and those of the companies were also domain administrators”) (see attachment 1 to the minutes of the XX, pages XX and XX).

With regard to the methods by which security incidents are brought to the attention of the parties involved in various capacities and the process for managing security incidents in the event that they involve a breach of personal data, the Company specified that “at the time of the personal data breach, there was an operating instruction attached to the Regulation for the use of IT tools, (…) concerning incident management with a focus mainly on events reported by perimeter security systems and aimed primarily at IT personnel”; that “the Company has established by resolution (…) a privacy group which includes members of various Company structures, operational at the time of the personal data breach”; that “it has equipped itself with a software tool called “XX” for the management of the protection of personal data processed by the Company” and that “it has prepared a data breach procedure, included in the quality system and made known to all XX employees and also available on the intranet” (see minutes of XX, pages XX and XX).

In any case, it was highlighted that "for a year and a half before the XX, beyond the emergency event, the topic of cyber security had been the subject of planning that saw the Company engaged in a complex work of strengthening the security infrastructure and improving awareness of the risks associated with cyber attacks on users. (...) In November 2021, among the first in Piedmont, the Company had also conducted a survey, based on 110 questions relating to 9 domains and 35 control areas, to quantify the level of exposure to risk of the main sector areas and to compare them with sector benchmarks. The analysis then also suggested, also based on experience in the field of cybersecurity, companies with similar risk levels and guidelines for investment planning". “Since January 2022, starting from the analysis of the level of adequacy to the standard of the minimum levels of the AgID guidelines n.2/2017, we have already identified in the first quarter of 2022 the list of remediations to reach the level of full compliance with at least the minimum set and 95% of the standard set by 2023. This planning was then incorporated into the document “P 02_AgID minimum measures adjustment plan” of June 2022, a sector procedure of the ICT Area forming part of the documentary corpus of the Quality Management System” (see attachment 1 to the minutes of XX, pages XX and XX).

4. The measures adopted following the violation

4.1. Notification of the breach to the Guarantor

With reference to the measures adopted following the breach, the Company stated that “at a preventive level (the rules for accessing the Internet via the firewall) were further restricted”, “access as an administrator to users external to the company network (typically the maintainers of application providers) was limited”, “a joint analysis was initiated with the antivirus provider and with the partner managing the network and related active devices to verify potential vulnerabilities under their responsibility or containment actions” and, subsequently, that “the operational countermeasures implemented after the attack were the following: two-factor authentication system on each service accessible from the outside with particular reference to VPN, e-mail, cloud antivirus server and cloud antivirus clients. Domain management via XX (in particular, administrator users have been reviewed and therefore significantly reduced, calibrating access based on the activities that users must perform) Firewall management Communications and reports to the relevant bodies (Postal Police, ACN, immediate communication to the general management and the operators involved with an operational decalogue of the actions to be implemented)” (see notifications of XX and XX, section XX, point XX).

4.2. Inspection activities

During the inspection activities, the Company declared that “following the reporting of the presence of the ransom note by the IT service, the DPO and the general management were contacted via an email containing information about the type of violation suffered, the content of the ransom note (request for ransom of the published data). Subsequently, the report was made via the dedicated CSIRT service (ACN) and a complaint was filed with the postal police. Several communications were also sent both between the directors of the structures involved and to all the staff. (…) A further in-depth phase was then carried out (…); it was verified that the attacker did not persist in the network by remaining passively connected, the backdoor, in fact, was dismantled and no further evidence of persistence was detected”; that the “protection levels (of the workstations) were progressively raised” and that “the backup of data and systems (mailboxes, file servers, management systems, etc.) was consolidated with a [OMISSIS] type strategy” (see minutes of XX, page XX).

With regard to the file server involved in the violation of personal data, the Company declared that “it is in an advanced stage of decommissioning and is currently accessible in read-only mode. This server has been replaced by a new file sharing infrastructure, with permissions and authorisations related to each reference structure that has a folder named with the code of the relative responsibility centre. On this folder, the director of the facility has all the permissions (e.g. reading, writing, sharing, etc.) and manages the authorizations of his collaborators. In addition to this environment, the file sharing tool is available in XX, XX” (see minutes of XX, pages XX and XX).

With regard to technical and organizational measures, the Company also stated that “the plan for the structural strengthening of IT services originated following the assessment carried out at the beginning of 2022 (…) in which the main measures to be adopted were indicated, in order to mitigate the critical issues identified, indicating the hypotheses for the termination of the activities (end of 2022) also useful for the purpose of distributing the necessary economic investments. Following the attack, the priorities of the plan were reviewed, with particular reference to: review of user authorizations, reorganization of the company XX (new domain controllers created, reduction of the number of users belonging to the admin group restricted to system administrators only, review of policies), segmentation plan of both the logical (VLAN) and physical network of the various structures, purchase of an XX balancer to manage incoming and outgoing traffic, load management and to create the VPN with MFA. In 2023, thanks to PNRR funds: the SIEM and SOC service were activated, a WAF was acquired, the technological update of the XX VOIP switchboard equipment and infrastructure was carried out, the antivirus platform was updated (XDR module for endpoints and servers), a methodological support project was launched for the clinical engineering structure for the analysis of the security posture of connected electromedical devices and the management of the life cycle of the devices, in order to comply with the security requirements in the various phases (e.g. purchase, installation, maintenance); an XX asset management system has also been acquired”. It was also declared that “an e-learning training course on cyber awareness topics has been activated for all operators, in multiple modules with a final learning test, which has currently seen the active participation of approximately 45% of the staff. To make this measure fully effective, the aforementioned training activity has been included in the 2024 company objectives. Furthermore, the Company has joined the “Syllabus” training platform, made available by the Department of Public Function of the Presidency of the Council of Ministers”, “that internal operating instructions have been provided for the correct reset of passwords and, shortly, a portal will be available to automatically reset passwords in compliance with the rules established in the password policy” providing the document “Measures for Cybersecurity AOU AL – Milestone of the main interventions regarding the mitigation actions of risks connected to vulnerabilities on the Company’s IT security” (see minutes of XX, pages XX and XX).

Finally, with regard to the strategic plan, the Company “clarified that the current management began operating at the end of 2021, in the midst of the pandemic. This strategic plan (..) is the result of the integration of the previous plan with two new guidelines: “return to normality” and “digitalization, cybersecurity and privacy”. Since April 2022, Eng. (…) has assumed responsibility for the IT structure, expert top professional figures have been acquired and the privacy service has been strengthened and reorganized. A cross-functional group (IT, DPO, quality manager) coordinated by the administrative management has also been created” (see minutes of XX, page XX).

5.    Evaluations by the Department on the processing carried out and notification of the violation pursuant to art. 166, paragraph 5 of the Code

With regard to the situation described, the Office, on the basis of what was represented by the data controller in the notification of violation and what emerged during the inspection activity, as well as subsequent assessments, notified the Company, pursuant to art. 166, paragraph 5, of the Code, of the initiation of a proceeding for the adoption of the measures referred to in art. 58, paragraph 2, of the Regulation, inviting the aforementioned data controller to produce written defenses or documents to the Guarantor or to request to be heard by the Authority (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, of Law no. 689 of 24 November 1981). In particular, with act no. 0059959 of 17 May 2024, the Authority considered that the Company had violated the principle of "integrity and confidentiality", pursuant to art. 5, par. 1, letter f), of the Regulation as well as the obligations regarding the security of processing (art. 32 of the Regulation).

The same Company has sent its defensive briefs, pursuant to art. 166, paragraph 6, of the Code. In particular, with a note of XX, accompanied by substantial documentation, it clarified what was expressed in the notifications of violations and during the inspection activity, declaring that:

- in relation to the failure to adopt adequate measures to promptly detect the violation of personal data, "although at the time of the events the Company did not yet have an integrated SIEM (security information and event management) and a SOC (Security Operations Center) service for 24-hour monitoring of alarms, the Company was equipped with a monitoring service for the logs of corporate firewalls, as part of the adhesion to the CONSIP SPC Cloud Framework Agreement lot 2, with the subject: "Cloud Computing, security, creation of portals and online services and application cooperation services for public administrations - ID SIGEF 1403", awarded to the R.T.I composed of XX (agent) and IBM SpA - SISTEMI INFORMATIVI S.r.l. - XX Spa (principals), approved with Resolution no. 857 of 09/13/2017, then renewed with Management Decision no. 2032 of 12/29/2021 until the end of 2023” (…). In particular, the service in question provided, through the use of the “XX” solution and XX” services (provided by XX as a subcontractor in the scope of the supply in question for which XX was the successful tenderer), guaranteed the characteristics necessary to identify threats brought to the company network and network analysis activities in step with changes in the network or the Company in general. Furthermore, from the first days of XX, approximately three weeks before the attack notification, the XX solution had been installed, a centralized platform for the aggregation and analysis of telemetry data in real time for threat detection and compliance. XX collected event data from firewalls and some of the machines in the company Data Center, supporting the reconnaissance performed with the support of the ACN team after the attack was reported to reconstruct the attackers’ lateral movements. After the attack, the investment was implemented to install the SIEM (Security information and event management), a system for managing information and security events that, by analyzing the logs relating to devices connected to the network infrastructure, allows the management and development of operational countermeasures to potential threats and vulnerabilities. The investment was already planned at the time in the company planning stage as part of the interventions fundable by measure 1.1.1 DEA Digitalization, Mission 6 of the PNRR”; 

- in relation to the failure to adopt adequate measures to guarantee network security, “at the time of the attack, the company network (was) structured on a single native VLAN, also used for client and/or server data traffic. Aware of the criticality that this configuration represented, the Hospital Trust, as part of the development of the strategic plan 21 – 24 – strategic area cybersecurity (…), started a mobility procedure in March 2022 (…) with specific cybersecurity system skills, to coordinate the assistance and maintenance services of the company network and its perimeter security components. This role in the Company was no longer covered as of 06/17/2020,” (…) and the definitive hiring of the candidate found to be most suitable for experience and competence was possible only as of XX, practically less than a month before the notification of the attack suffered. It should be noted that, immediately after the attack, and thanks also to the design expertise of the senior system administrator finally integrated into the ICT Area organizational structure, a remediation plan was prepared based on the following three conceptual pillars:

• segmentation at a capillary level, with a logical network for each floor cabinet, a VLAN for electromedical devices differentiated by specialty of use (one for radiology biomedical devices, one for laboratory medical devices, one for radiology workstations, one for general medical devices) and dedicated VLANs for services that could in some way put corporate security at risk through direct exits to the Internet, typically for remote assistance services or to implement monitoring on cloud platforms.

• Securing communication between one VLAN and another, through appropriate ACL (Access Control List) filters to limit traffic. The corporate infrastructure allows the use of an equal ACL for each VLAN in order to increase performance. It was very important to prohibit RDP (Remote Desktop Protocol) traffic to central servers, with the exception of authorized ones (for example, terminal servers).

• Implementation of an automatic VLAN management system, through the implementation, [OMISSIS], in order to authorize access to the corporate network only to authorized machines. With this mechanism it is possible to isolate unauthorized ones and activate blocking policies towards those network ports that have been compromised by an unauthorized MAC address”;

- “this planning (…) is being implemented”;

- in relation to the IT authentication procedure, “the proliferation of the number of VPNs enabled in the two-year period of management of the COVID-19 pandemic (activation of smart working stations), has certainly worsened the security posture of the network infrastructure. That said, there is no doubt that, at the time of the attack, the active VPNs did not have two-factor authentication. In any case, it is important to highlight the immediate responsiveness of the infrastructure immediately after the attack notification, implementing the MFA (Multi Factor Authentication) system, [OMISSIS] already within the first half of January. Furthermore, a VPN redesign plan has been prepared with the following logic:

• creating a real separate LDAP server and implementing ACLs for each user/company, so that access is governed by the Role Based Access principle.

• Implementing a series of accesses via terminal server to the main web application services of the hospital, managed by the balancing system;

• Starting training and information activities for users, so as to make users aware of the importance that not all services provided on the local network can be reached outside the company network”;

- in relation to the obsolescence of the basic software installed on some processing systems, "although the update of the patch relating to the CVE indicated in the attached report following the data breach notification then occurred following the attack itself, to date there is no evidence that the vulnerability found on the firewall was the direct cause of infiltration into the corporate network. Indeed, it is much more likely that there is not a single direct cause, but that it was the combined effect of the causes already explained in the aforementioned report that determined the vulnerability. Despite this, aware of the importance of acquiring an inventory & asset management system that would allow the management of updates and vulnerabilities of the installed fleet, the Company, with an order on the MEPA (Electronic Market for Public Administration) platform in September 2022 (therefore a few months before the attack), had started the process of acquiring and subsequently installing a platform for the discovery of all devices connected to the network, the assessment of the CVSS vulnerability risk index and the management of the CVEs connected to each of the assets themselves, OMISSIS”; 

- “the current strategic management, established in AO AL in June 2021 in a context still characterized by the exceptionality linked to the pandemic emergency, strongly wanted a decisive change of pace on the digitalization and cyber security front. This emerges first of all from the revision of the Strategic Plan (resolution no. 196 of 04/29/2022 – PIAO approval), with which we wanted to give on the one hand a signal of substantial continuity with respect to the previous plan, and on the other a signal of strong discontinuity on two aspects considered fundamental: 1.Digitalization and skills, and a strong push towards cybersecurity and privacy (Strategic Area 1 - “C - Skills and digitalization”); 2. preparatory actions for exiting the pandemic and returning to “normality” (Strategic Area 2 - “O - Order after the storm”). Within the two strategic areas implemented, digitalization is the one on which the company has decided to set a priority strategy, and of the main guidelines, “Cybersecurity, transparency and privacy” takes on significant relevance”;

- in relation to the main actions undertaken and the organization and equipment in the ICT Area, “during 2022 and more fully during 2023, the AO-AL consolidated both the technological components of its network infrastructures (both data and voice), and the skills of the related personnel. One of the first actions launched at the beginning of 2022 concerned the profound reorganization of the ICT area. Starting from the change at the top of the structure (…) the structure has been strengthened, with the hiring of an additional analyst manager and with the hiring of a Technical Collaborator cat. D expert in networks and cybersecurity. With the new act, the S.C. “ICT Area” has also acquired the responsibility of the SS Clinical Engineering, changing the name to S.C. “ICT and Technological Innovation” and thus creating the conditions for a complete integration between two worlds now interconnected and integrated on the digital. The professional role of “Management of ICT infrastructure and cybersecurity” has also been identified and, from January 2023, the role of “Management and optimization of company software installations” has been assigned to the manager of the ICT structure;

- in relation to the main actions undertaken and the organization and equipment in the Privacy Area, "with resolution no. 420 of 07/27/2021, the "Corporate Privacy Working Group" was established with specific tasks expressly indicated and "with the revision of the company act, the new Privacy Service was created, in staff to the Strategic Management" which deals with specific certain aspects; 

- "a collaboration was started with CSI Piemonte (in-house company of the Piedmont Region of which the AOU is a member) for "support activities in the GDPR area" (....) in the application of the "Accountability" principle provided for by REGULATION (EU) 2016/679", with respect to specific needs expressed; 

-  in relation to the nature, severity and duration of the violation "the violated system is that of the shared folders in the XX environment of the PdL (Workstations) network of the Hospital Trust. Shared folders are a company system in which employees can store documents, spreadsheets, presentations, and more generally any file useful for organizing work. Theoretically, this system should only contain documents for individual productivity purposes (so files for organizing departments, work documentation, but not related to patient activities), while health data relating to patients' clinical pathways should be managed only through company applications that generate electronic health records. In practice, however, it also contained health data (e.g. copies of reports, tests, etc.), although it should be noted that these were non-indexed files, which should be considered more as "working copies" than as elements of treatment management"; 

- "the issue is therefore linked to a more conscious use by hospital employee users of the File Sharing environment and IT infrastructures in general and the associated risks in terms of failure to comply with the principles of protection of the processing of health data and IT security. In this regard, see the section relating to the communications sent at least monthly by the Management to all medical staff regarding the reminder to use the file server for their own purposes in the chapter dedicated to the organizational measures implemented following the attack notification. In any case, the days that passed following the attack (starting from January 2, 2023) were spent analyzing, with the support of the National Cybersecurity Agency (ACN), and the support of a SOC (Security Operations Center), immediately engaged by the Company's ICT service for support on log analysis and remediation activities, the movements of the attackers in the systems of the Company's network infrastructure, in order to identify the method of first access"; 

- “the one at AO AL is part of a national context well described by the authoritative CLUSIT 2024 report, in which the healthcare sector in 2023 was the fourth sector most affected by successful and publicly available cyber attacks, after Manufacturing, Professional/Scientific/Technical and ICT, with a percentage of the total incidents recorded of 9%. This percentage has quadrupled compared to the analysis period of the same report of the previous year, in which the healthcare sector constituted 2.2% of the attacks suffered by the reference IT infrastructures”;

- “the AOU (…) has made available all its email inbox channels and toll-free number to manage any possible contact with those affected by the breach of confidentiality. To date, no reports, appeals, complaints or formal notices have been received. From an infrastructural point of view, starting from day XX, the date on which a DFIR (Digital Forensic & Incident Response) team from the National Cybersecurity Agency was seconded to the Alessandria Hospital Health Authority to provide technical support in the analysis and restoration of services, and for approximately 30 days after, the following operations were introduced as immediate operational countermeasures to mitigate the effects of the breach: • Blocking of data traffic outside of Italy; • two-factor authentication on each service accessible from the outside (MFA – Multi Factor Authentication technology), with particular reference to access to company email accounts and access to the company network from the outside via VPN (Virtual Private Network); • Activation of two-factor authentication of the antivirus system console, both on the endpoint and server side, which was not active at the time of the attack; • Consolidation of the company XX system, drastically reducing, first of all, the number of users in the domain admin group, […] therefore also excluding service users. In addition, the copy of the folders was restored, the pre-existing domain controller was deleted and two new domain controllers were created on an environment with an operating system updated to XX read and write plus two read-only domain controllers, inserting the first ones in a new VLAN with dedicated DNS services. The XX password was reset twice. The main vulnerabilities were monitored daily with the XX application and the related security changes were made. This activity was performed in collaboration with the technical support of the ACN technical team”;

- in relation to the technical and organizational measures implemented pursuant to Articles 25 and 32 of the Regulation: before the attack, “beyond the emergency event, the topic of cyber security had been the subject of planning that saw the Company engaged in a complex work of strengthening the security infrastructure and improving awareness of the risks associated with cyber attacks on users already in the period between the end of 2019 and the beginning of 2022. The main activities from which the attention and planning efforts are evident are reported below: 

• December 2019: acquisition, in a logic of technological refresh of the previous solution, of a security platform for the protection of Endpoints, Servers and mobile devices with Antimalware, Firewall, Intrusion Prevention System, Encryption and Application Control functions. The identified solution, the “XX” products are included by Gartner in the famous report called “Magic quadrant for endpoint protection platforms” in the box reserved for “Leader” technologies, the top right quadrant (see in this regard the Management Determination n. 518 of 03/30/2020 …);

• July 2020: activation of the FAD training course “GDPR Course - EU Regulation 2016/679 – and IT security”, included in the company training plan for the years from 2020 to 2024 with 4 ECM credits. The course was configured as a basic course for all employees and external parties available on the ECM Piemonte platform;

• July 2021 in compliance with and pursuant to art. 36 of the GDPR, XX carried out a “data protection impact assessment” activity (…). The DPIA was intended to support the data controller in defining strategies for the protection of the analyzed data (in particular DSE, Processing of data relating to the health of patients and users of internal medicine services and Emergency urgency, Management control). The analysis also highlighted the security and technical measures necessary to mitigate the risk that were included in a Risk Treatment Plan and a short-term action plan to ensure the protection of personal data relating to the processing subjected to impact assessment;

• November 2021: participation, as part of a regional initiative to analyze the levels of IT risk for insurance profiling purposes as the Lead Company, in an assessment promoted by XX. The assessment activity was based on the compilation of the questionnaire [OMISSIS]. The cyber risk assessment, despite its partial randomness, having been based solely on the response to the questions in the questionnaire and given the complex nature of the topic, made it possible in any case to quantify the level of exposure to risk of the main sector areas and to compare them with sector benchmarks.Furthermore (…) the Company received in the communication of sending the report in question, confirmation that the path taken was a significant change of pace and highlighting that "many of the activities recommended in the XX report are in line with the mitigation path started, denoting the excellent awareness and willingness to intervene to improve the situation"; 

• December 2021 - January 2022: activation of a training course, now in its third edition in 2024, of cyber awareness, i.e. conscious use of IT infrastructures and tools to develop in employees a clear awareness of cyber risks through the advanced use of multimedia systems and the real involvement of all users;

• January 2022: start of an assessment, concluded in August 2022, of the level of vulnerability ("Vulnerability Assessment"), in order to then be able to plan the main corrective and consolidation actions. In particular, the study allowed to identify the vulnerabilities present on the target systems and to define a remediation plan, based on the criticality of the identified security problems and therefore giving the correct priority to the patching activities. See in this regard the document "Vulnerability Assessment 2022" (...). This remediation plan was then integrated, in June 2022, into the ICT services sector Procedure, by developing a document, then integrated into the Quality Management System of the service itself, which aligned these countermeasures with the adaptation to the standard security measures contained in the AgID Guidelines as per Circular of 18 April 2017, no. 2/2017. The document also contained a preliminary planning of the consolidation activities and corrective actions for the recovery of the anomalies detected by the third quarter of 2024. See in this regard the procedure "P 02_Piano di Adattamento misure sicurezza AgID";

• March 2022: (..) investment planning PNRR Mission 6 component 2, investment 1.1.1, where (…) investments were planned, to acquire know-how and technologies necessary to enhance the infrastructural and application security of hospital systems" and "revision of the Sector Procedure of the SC Area ICT and simultaneous dissemination to the company user population. The communication also contains a brief but exhaustive summary of the best practices to be adopted for greater awareness by the Company's employee users in the use of credentials and IT tools in general (…);

• August - October 2022: integration into the document corpus of the Quality Management System of the ICT Area of the operating instructions, developed at the same time as the Vulnerability Assessment of January 2022, relating to: Change Management - IO_2 (…); Management of Server Images and PdL – IO_3 (….); Security Incident Management - IO_4 (…); Vulnerability Management – IO_5 (…); Management of communications to and from the ICT Area sector – IO_6;

• September 2022: sending of a communication by the General Management to maintain adequate behavioral rules in the use of the company File Sharing environment, following the notification by the ICT Area SC of illegal activities. The communication also recalled the recent violation that occurred at the ASL Città di Torino, reiterating the importance of orthodox behavior for the protection of hospital cybersecurity. See the note with protocol number 19678 of 05-09-2022 (…), which reiterates that the file server system, the object of the attack, is “intended to contain only work files, and not other documents such as personal documents of patients (exams, reports in Word, etc.)”;

• September 2022: gap analysis for compliance with the ISO/IEC 27001:2013 standard. The analysis was aimed at evaluating the status of the processes currently implemented at the Hospital Trust (regulated by the Quality Management System in accordance with ISO 9001:2015) and the consolidated practices in use among the staff and evaluating the gap currently present with respect to their compliance with the ISO/IEC 27001:2013 standard, for possible future implementation. The conclusion of the report highlighted how, following the interviews carried out, it was possible to deduce that the state of implementation of the processes was quite advanced, especially in reference to the daily activities of the ICT Area, which in all likelihood "will constitute the heart of the future certification according to ISO/IEC 27001" (...);

- in relation to the technical measures implemented following the attack notification, "following the analysis carried out in conjunction with the ACN DFIR group, (...), the main corrective actions implemented are reported below: 1. Two-factor authentication system on each service accessible from the outside, with particular reference to: VPN: 1. Corporate VPNs are based on XX technology. They did not have two-factor authentication. It was implemented using the OTP (One Time Password) XX technique. The user's personal email address was used as the email address, or in any case not that of the domain involved, i.e. XX. English: At the same time, a complete redesign of the VPNs was started and is still underway, creating a real separate LDAP server, also implementing an ACL for each user/company, in order to fully implement a Role Based Access Control type of access; email: 1. Email is based on XX technology. All the filters and antispam part is managed by XX. Inside the hospital there is only one server that syncs with XX. The XX domain is replicated (like email). The obsolete and poorly functioning connector was redone on a new server and the latest release of XX; cloud antivirus server: since one of the most significant vulnerabilities that allowed the launch of the executable to spread the ransom note on company PCs was eliminated, the possibility of accessing the company antivirus console, via administrator user, was eliminated, the MFA was requested from the supplier, now inserted. Also in this case, the accounts are based on XX mail in order to avoid the single point of failure; cloud antivirus client; 2. Domain management via XX: Use of specific tools with the support of ACN for the analysis of XX (XX, XX) and for the monitoring of domain risk indicators (XX; administrator users have been considerably reduced, as per best practice for the use of XX, thus calibrating access based on the activities that users must carry out (according to the ROLE BASED ACCESS CONTROL approach); division of administration roles, workstations, domain, centralized servers, external company servers; 3. Firewall management: all direct access to the Internet deemed not essential closed; vulnerability update; traffic filter outside Italy; strengthening of log collection and analysis activity; 4. User management: a portal has been developed internally, for the independent management by employees of domain password reset (to access PCs and email), available at an internet link https. The link to this page is also made available on the Intranet, and offers users the possibility of changing or resetting the password, without having to log in. involvement of the administrator or help desk, also setting a secret question and answer secondary password recovery email in case of loss. It is also functional to keep the employee records updated, thus reducing the risk associated with access with users no longer in use";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of segmentation at level three of network traffic, including the differentiation between a workstation and a server", the resolution action was: "immediately after the attack, new VLANs were implemented with associated ACLs for security. The remediation of the old VLANs is being completed XX";

- in relation to the vulnerability found downstream of the attack, concerning the "management of user access levels not in line with the principle of least privilege, given that approximately 130 users had maximum administration rights", the resolution action was: "the domain administrators were reduced to four, corresponding to the infrastructure system administrators";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of an Asset and Inventory management system for the management and identification of machines, even off-line", the resolution action was "XX were used during the attack. Currently, the Company uses the XX solution";

- in relation to the vulnerability found downstream of the attack, concerning the "lack of organizational procedures for inserting machines into the network or of a form for managing the underlying VPN requests and identification rules", the resolution action was: "revised the Workstations regulation and created forms and procedures for storing forms and requests";

-  in relation to the vulnerability found downstream of the attack, concerning the "lack of a procedural connection between the database of the application that manages the employee records and the assignment of company work tools in a manner proportional to the contractual classifications, and therefore to the levels of responsibility envisaged for each profile", a "portal was created that connects the personnel records to the network accounts. It provides privileges and licenses based on the job";

- in relation to the vulnerability found following the attack, concerning the "lack of a centralized system for managing users and consequently for managing passwords", a "portal was created that connects the personnel registry to the network accounts.Provides privileges and licenses based on job description”;

- in relation to the vulnerability found downstream of the attack, concerning the “non-optimal organization of the XX identity management system, with the insertion of many of the users of the employee records into multiple groups with various access privileges, with the possibility of implementing escalation techniques”, the “group system and related authorizations were reviewed with the support of the XX application”;

- in relation to the vulnerability found downstream of the attack, consisting in the fact that “obsolete communication protocols were still active, including smbv1 and NTLMv1”, 90% of the servers with smbv1 protocols were eliminated and procedures were initiated with suppliers to clean up the rest”;

- in relation to the vulnerability found downstream of the attack, consisting in the fact that "for the management of the assistance and maintenance activities of many applications, service users with administrator privileges were configured, determining the impossibility of reducing the level of privileges of the same, under penalty of interruption of availability of the related services" and that "many users for access to the VPNs granted to the companies providing application assistance services were connected to the domain and/or also domain administrators" "double authentication vpn and XX" was created and "domain administrators were remediated";

- "with regard to structural investments, beyond the operational countermeasures to contain the exposures found downstream of the attack, the AOU of Alessandria has started investments aimed at activating control services and acquiring perimeter security systems" (...) which have affected numerous profiles; 

- in relation to the organizational measures implemented following the attack notification, "first of all, a series of internal communications and reports to the relevant bodies were started as specified below: • immediate reporting to the Postal Police and the ACN; • preliminary reporting of the data breach to the Guarantor Authority within 72 hours as per the Regulation; • immediate communication to the General Management and from there to the healthcare operators involved with an operational decalogue of the actions to be immediately implemented to counter the risk. In this regard, the communications sent to XX by the company are reported regarding: 1. the invitation to all employees to restart company PCs and follow the instructions for generating a new access password according to the good practices also reiterated in the company regulations. See in this regard the email from XX of the Director of the I.C.T. Area Structure (...); 2. contact with the technical contact of the company from whose generic user account for assistance activities on the haematology application installed on the AOU of Alessandria servers the attackers' access movement was found, as highlighted by the report produced by the ACN team. See in this regard the email of XX from the Director of the I.C.T. Area Structure (…); 3. Communication to all employees of the General Management containing provisions on IT security (…); 4. communication to all employees of an update on the recovery and consolidation activities in progress following the attack (…); 5. revision of the company regulations, formally approved with Resolution of the General Manager no. 150 of XX on the correct use of the I.C.T. infrastructure of the AOU of Alessandria and related information to all employees (…); 6. creation of the new company File sharing infrastructure and new provisions on its use with information to all employees (…); 7. further sharing of the new company regulation and request to activate the users for the new company File Sharing system to the hospital users (…); 8. Communication to all employees of the General Management containing provisions on IT security (…); 9. further request to activate the users for the new company File Sharing system to the hospital users (…); 10. Communication to all employees of the General Management containing requests to comply with the provisions on IT security (…); 11. Activated the "block" function of XX and sent information to the hospital users (…); 12. Reporting of other phishing attacks (…); 13. Activated a massive communication campaign aimed at employees on "cyber security";

- “regarding organizational and procedural measures: the company regulation containing provisions for the safe use of the Company's ICT infrastructure has been adjusted, (...) “Approval of the 2023 company regulation for the use of ICT services”. This revision introduces new criteria for profiling company users according to the principle of the least possible privilege, updates the user request forms, defines the new rules for accessing the new File Sharing and company mail system, and exemplifies the methods of accessing the VPN with MFA (Multi Factor Authentication) authentication technology. It also reiterates the conscious use of access passwords and their constant review according to good generation practices to prevent them from being trivial and easily identifiable”;

- “adequate operating instructions and guidelines have been prepared for the Integrated Management of updates to electromedical devices and for the periodic monitoring of vulnerabilities from the recently acquired MDSP platform”;

- “contractual annexes have been prepared for current and future initiatives for the procurement of applications and electromedical devices to be connected to the network in such a way as to manage, already in the drafting phase of the tender specifications or definition of the Purchase Order, information elements such as the requirements of the security process, the initial determination of the risk of the device, the communication scheme”;

- “during the inspection activity (…), a substantial series of documentary supports were argued and found for a precise and timely reconstruction of the event of the XX, minutely following the collaborative requests of the officials and receiving their indications to confirm or implement all the steps necessary for the overall and complete weighted evaluation of the activities implemented to resolve the problems underlying the hacker attack and facilitate the correct determination of the consequences and the effects on personal data and on the rights and freedoms of the interested parties potentially involved. The Company has also maintained a constant collaborative relationship with ACN (...);

- "the categories of data impacted by the breach are personal data (name, surname, gender, date of birth, place of birth, tax code) contact data (postal or email address, landline or mobile telephone number) access and identification data (username, password) health data for users, suppliers and patients as well as employees. As regards employees, the impacted data consists of documentation relating to the normal economic activities inherent to them and any additional personal content stored in the file server folders";

- "the Company (...), has acted in recent years in a context of particular cyclical criticality: • The SSR of the Piedmont region only in 2017 exited the Recovery Plan conducted in collaboration and under the supervision of the MEF, the so-called "Tavolo Massicci", which led to a strong contraction in the flow of expenditure in the current part and in the investment account, with heavy cuts to personnel with a total freeze on hiring for 7 years in technical-administrative roles that have greatly impoverished IT HR in a field of strong technological development; the cuts were also made in the sector of purchasing ICT goods and services and their adaptation to the new IT achievements on which the various spending review interventions were grafted. • The Covid-19 contagion, which hit the Alessandria area with particular speed and severity since January 2020, given the close geographical proximity to the area where it first spread, brought further difficulties in the management of the IT sector called to the front line to deal with the pandemic emergency, slowing down the processes of adapting IT systems to higher levels of security desired by the strategic management of the company for the best protection of personal data. The Covid pandemic emergency ended, as per WHO provisions, on 5/5/2023";

- “despite this “extraordinary” management context, the company has also managed to launch an ambitious plan to redesign its IT and information infrastructure, starting in 2021, with significant investments in hardware, software and human resources, with a strategic plan that sees digitalization and particular attention to cybersecurity as one of the founding elements. The malicious hacker attack came at the moment in which this plan had been launched and was being implemented with the resources that were finally available (also thanks to the PNRR), determining the subsequent acceleration of the risk mitigation plan necessary in light of the development of technologies and data processing systems”;

- “the notification of infiltration into the hospital network and the consequent analysis of the vulnerabilities that allowed this event abruptly accelerated a series of changes whose necessity and urgency, especially with respect to the previous infrastructure configuration situation, the Management was absolutely convinced, and for which a process of profound restructuring and re-engineering was underway, with significant investments started. These activities have sought (…), not to limit themselves to the pure and simple acquisition of technology, but, on the contrary, to start from the organizational dimension of IT security, which is far more relevant than the technical one. On the basis of this awareness, the roles and profiles of access to the network of operators have been clearly constructed, not only technical-administrative, but above all healthcare, the management rules have been defined according to which certain data can be conveyed only through certain channels (certified applications and not shared folders on the File Server, for example), a strong commitment mechanism has been activated by Management as a whole (through the assignment of specific objectives in the Performance Plan to the entire organization), and not only by the person responsible for information systems, so that the vulnerability response plan is not oriented towards the emergency, but the management of the aspects of security of personal data and protection of privacy are an integral part of the working conduct of each employee”.

6. Outcome of the investigation

Having taken note of what was represented by the Company during the proceedings, it is noted that:

- “health data” means “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her state of health” (Article 4, paragraph 1, no. 15, of the Regulation);

- personal data must be “processed in a manner that ensures appropriate security (…) including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” (principle of “integrity and confidentiality”, Article 5, paragraph 1, letter f), of the Regulation);

- Art. 32 of the Regulation, concerning the security of processing, establishes that "taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (...)" (par. 1) and that "when assessing the appropriate level of security, special account shall be taken of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (par. 2).

- the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023 also clarify that “the ability to promptly identify, address and report a breach must be considered an essential aspect” of the technical and organizational measures that the data controller and processor must implement, pursuant to art. 32 of the Regulation, to ensure an adequate level of security of personal data;

- according to Recital no. 87, “it is appropriate to verify whether all appropriate technological and organizational protection measures have been implemented to establish immediately whether there has been a personal data breach and to promptly inform the supervisory authority and the data subject”.
7. Conclusions: declaration of unlawfulness of the processing.

In light of the above, it is noted that the processing carried out in the context in question requires the adoption of the highest security standards in order not to compromise the confidentiality, integrity and availability of the personal data of a very significant number of data subjects. This, also taking into account the purposes of the processing and the nature of the personal data processed, including those belonging to particular categories and, in particular, health data. In this regard, the security obligations set out in the Regulation require the adoption of rigorous technical and organizational measures, including, in addition to those expressly identified in art. 32, par. 1, letters a) to d), all those necessary to mitigate the risks posed by the processing.

On the basis of the assessments referred to above, taking into account the declarations made by the data controller during the investigation and considering that, unless the fact constitutes a more serious crime, anyone, in a proceeding before the Garante, declares or certifies false information or circumstances or produces false acts or documents shall be liable pursuant to art. 168 of the Code “False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor” the elements provided by the data controller in the defense brief referred to above, although worthy of consideration, do not allow to overcome the findings notified by the Office with the aforementioned act of initiation of the procedure, since none of the cases provided for by art. 11 of the Guarantor regulation no. 1/2019 apply.

From the examination of the information and elements acquired as well as the documentation provided, the processing carried out by the Company appears to be unlawful, as it was carried out in violation of art. 5, par. 1, letter f) and 32 of the Regulation, in relation to the profiles reported below.

7.1. Failure to adopt adequate measures to promptly detect the breach of personal data

During the investigation, it emerged that the malicious individuals carried out a series of operations preparatory to the cyber attack and that “the Company did not have a log management system” (see minutes of XX, pages XX and XX and of XX, page XX). From the documentation in the files, it is clear that “the management of the emergency after the attack required the acceleration of some of the measures subject to […] planning” with particular reference to the SIEM (Security Information and Event Management) to be connected to “external SOCs used as services to supplement the office hours in force at the service, in order to guarantee 24/7 coverage of the control, analysis and remediation support activity” (see Annex XX to the minutes of XX, page X). The deficiency highlighted did not allow the Company to promptly detect and become aware of the breach of personal data that occurred.

Failure to adopt adequate measures to promptly detect personal data breaches does not comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, taking into account the provisions of the aforementioned Guidelines, requires that the data controller and data processor must implement measures to “promptly identify […] a breach”. 

7.2. Failure to adopt adequate measures to guarantee network security and obsolescence of basic software installed on some processing systems

During the investigation, it emerged that the Company had not adopted adequate measures to segment and segregate the networks on which the workstations of its employees were located, as well as the systems (servers) used for processing. In fact, as also highlighted by the Company during the inspection activities, "the network was substantially flat, there was no logical or physical segmentation" and the workstations and servers were not differentiated at network level (see minutes of XX, page XX and attachment XX to the minutes of XX, pages XX and XX).

Moreover, at the time the personal data breach occurred, remote access, via VPN, to the Company's network was carried out using a computer authentication procedure based only on the use of username and password. In relation to this aspect, the Company specified that "a multi-factor computer authentication (MFA) procedure was not foreseen for remote access in VPN. (...) The "maintenance" users were often generic, not individual, with maximum administrative privileges" and that "although instructions had been provided to the staff regarding the choice of password, inspired by good industry practices, no system configuration was foreseen that incorporated such instructions. Users who performed administrator functions used different accounts, depending on whether they were personal domain accounts or accounts with administrative privileges. In the latter case, the credentials, which did not have a specific password policy, were generally shared between the various administrators” (see minutes of XX, page XX). With reference to this profile, the Company, following the incident, deemed it necessary to “activate the MFA, certify the VPN and identify named users (using specific forms), in compliance with the principle of “minimum privilege””.

During the investigation, it emerged that “it is presumed that the attacker may have exploited a vulnerability relating to the XX perimeter firewall [and] that the version of the XX firewall operating system was vulnerable” and that “various obsolete communication protocols were still active”. In relation to this aspect, the Company, following the incident, proceeded with the technological update of the equipment and infrastructure.

The failure to implement, at the time of the infringement, adequate measures to ensure the security of the networks and the use of obsolete basic software, for which security updates are no longer available, does not fully comply with the provisions of art. 5, par. 1, letter f), and art. 32, par. 1, of the Regulation which, in the case in question, requires that the data controller and the data processor must implement measures to "ensure on an ongoing basis the confidentiality, integrity, availability and resilience of processing systems and services" (letter b)).

8. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (arts. 58, par. 2, letters i and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The infringement of art. 5, par. 1, letter f) and 32 of the Regulation, caused by the conduct carried out by the Company, entails the application of the administrative pecuniary sanction pursuant to art. 83, paragraphs 4 and 5 of the Regulation.

The Guarantor, pursuant to art. 58, paragraph 2, letter i) of the Regulation and art. 166 of the Code, has the power to "impose an administrative pecuniary sanction pursuant to article 83, in addition to the (other) (corrective) measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case", by adopting an injunction order (art. 18 law 24 November 1981, no. 689), in relation to the processing of personal data carried out by the Company, which has been ascertained to be unlawful, in the terms set out above.

Deemed it necessary to apply par. 3 of art. 83 of the Regulation where it provides that "if, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement", the total amount of the fine is calculated so as not to exceed the maximum fine provided for by the same art. 83, par. 5.

In light of the above and, in particular, of the category of personal data affected by the violation, which, by their nature, are particularly sensitive in terms of fundamental rights and freedoms, it is believed that the level of severity of the violation committed by the Company is high (see European Data Protection Board, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60), despite the unintentional nature of the violation (the episode appears to have been caused by malicious conduct by a third party, formally reported to the postal police). 

Having said this, certain elements are assessed as a whole and, in particular, that:

- the Guarantor became aware of the event following the notification of violation made by the Company, pursuant to art. 33 of the Regulation and no complaints or reports have been received regarding the violation that is the subject of this provision (Article 83, paragraph 2, letters h) and k) of the Regulation);

- the data controller, in order to avoid the repetition of the event that occurred, has undertaken to introduce measures aimed at reducing the replicability of the event that occurred and has cooperated with the Authority in every phase of the investigation, including the inspection phase, in order to remedy the violation and mitigate its possible negative effects (Article 83, paragraph 2, letters c) and f) of the Regulation);

- the management of the pandemic emergency has made it necessary to strongly involve the IT sector, with the consequent significant slowdown in the systems adaptation processes (Article 83, paragraph 2, letter k) of the Regulation).

In light of the elements indicated above and the assessments carried out, it is believed, in this case, to determine the amount of the pecuniary sanction in the amount of € 25,000.00 (twenty-five thousand/00) for the violation of Articles 5 and 32 of the same Regulation, based on the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere, pursuant to Article 83, paragraph 1, of the Regulation.

In this context, it is also believed that, pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, it is necessary to proceed with the publication of this chapter containing the injunction order on the website of the Guarantor. This, in consideration of the type of personal data subject to unlawful processing and the number of interested parties involved.

GIVEN ALL THE ABOVE, THE GUARANTOR
 

pursuant to Articles 57, paragraph 1, letter f) and 83 of the Regulation, finds the unlawfulness of the processing carried out by the Azienda Ospedaliero-Universitaria SS. Antonio e Biagio e Cesare Arrigo, with registered office in Alessandria, via Venezia, 16 – 15121 - C.F. – P.I. n. 01640560064, within the terms set out in the reasons, for the violation of articles 5 and 32 of the Regulation;

ORDERS

pursuant to art. 58, par. 2, letter i) of the Regulation, to the same Company, in the person of its legal representative pro-tempore, to pay the sum of Euro 25,000.00 (twenty-five thousand/00) as an administrative pecuniary sanction for the violation indicated in this provision.

ORDER

the aforementioned Company to pay the sum of Euro 25,000.00 (twenty-five thousand/00) according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right for the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below.

ORDERS

a) pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, the publication of the injunction order on the website of the Guarantor;

b) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, the publication of this provision on the Authority's website;

c) pursuant to art. 17 of the Regulation of the Guarantor no. 1/2019, the annotation of the violations and measures adopted in accordance with art. 58, paragraph 2 of the Regulation, in the internal register of the Authority provided for by art. 57, paragraph 1, letter u) of the Regulation.

Pursuant to art. 78 of the Regulation, arts. 152 of the Code and 10 of Legislative Decree no. 150/2011, against this provision it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 17 October 2024




THE PRESIDENT
Stanzione

THE REPORTER
Ghiglia

THE SECRETARY GENERAL
Mattei