Persónuvernd (Island) - 2020061844

The Icelandic DPA fined the Office of the National Medical Examiner ISK 12,000,000 (approx. € 82,000) for multiple GDPR violations after a security breach on its website Heilsuvera – an online healthcare system and prescription portal.

English Summary

Facts

The Icelandic DPA received a notification from the Office of the National Medical Examiner (the controller) about a security breach in its website (Heilsuvera – an online healthcare system and a prescription portal). Personal data of individuals were made available to unauthorised parties through the website.

For example, it was possible that after logging in to the Heilsuvera website, to manipulate so-called parameters to see unauthorized messages (i.e. by right-clicking on the computer mouse to access a code on a specific page on the website and then change it to see another page in the area). It was revealed that it was possible to change the URL of a sonogram image that individuals were given access to from the medical records system in order to see other images within the system, i.e. attachments that were saved there.

The controller explained that the data breach followed, among other things, because there was a fault in the connection cable due to communication with a system outside the Heilsuvera website. More specifically, the controls on the API, which are activated when documents are retrieved from outside the Heilsuvera website, did not have sufficient functionality to confirm rights to access the data.

Holding

The Icelandic DPA noted that all processing operations must comply with the general principles under Article 5 GDPR. More specifically, the DPA stated that the processing activities must comply with the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR.

Furthermore, the DPA highlighted that the processing activities in question must also comply, inter alia, with the requirements on the security of the processing pursuant to Article 32 GDPR and the principle of data protection by design and by default under Article 25 GDPR.

The DPA considered the nature of the personal data processed (the data contained sensitive data pursuant to Article 9 GDPR within the Heilsuvera website and found that it is extremely important that appropriate technical and organisational measures are in place to ensure security of the processing according to Article 32(1) GDPR.

It was also highlighted that in light of the sensitive nature of the information in question, special efforts must be carried out to ensure built-in and default data protection in accordance with Article 25 GDPR.

Eventually, the DPA held that the controller did not ensure the security of personal data processed within the Heilsuvera website in the manner required by Article 32(1)(b)(d) GDPR. It was also found by the DPA that built-in and default data protection was not adequately ensured as required by Article 25 GDPR. As a result, the controller was found to be also violate the principle of integrity and confidentiality Article 5(1)(f) GDPR.

The controller was fined ISK 12,000,000 (approx. € 82,000) for violating Articles 5(1)(f), 25, 32(1)(b)(d) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.

Solutions

Fine due to security weaknesses in Heilsuvera

Case no. 2020061844

3.7.2023

Personal protection has imposed an administrative fine, in the amount of ISK 12,000,000, on the Office of the National Medical Examiner due to a security weakness in the Heilsuveru information website. The office had reported a security breach when two people managed to see data that did not belong to them. On the one hand, it was due to a weakness in Heilsuveru's message section, which meant that by changing the connection string, a logged-in user could access unauthorized messages that could be personally identifiable. However, it was due to a weakness that enabled logged-in users in the maternity care section of Heilsuvera, who had access to a sonogram from the medical record system of one of the two health institutions, to see the attachments of other persons in the medical record system of the relevant institution by changing the URL. The above was considered to violate information security requirements. Certain items were evaluated for compensation, i.e. on m. the safety measures taken in Heilsuvera in general. In light of, among other things, the sensitive nature of the information in question and the contradictory and materially incorrect explanations during the investigation of the case, the decision to impose a fine was reached as described earlier.

Decision

On June 27, 2023, Personal Protection made the following decision in case no. 2020061844, i.e. on the application of administrative sanctions due to security weaknesses in Heilsuveru's information website:

i
Procedure
1.
Outline of a case

On June 8, 2020, Personal Protection received a notification from the Office of the National Medical Examiner about a security breach in the Heilsuveru information website. The announcement states that the personal information of individuals has become available to unauthorized parties via the web.

By letter, dated On June 24, 2020, the Personal Protection Agency requested explanations from the Office of the National Medical Examiner in connection with the announcement. They responded with a letter from the office, dated 30. s.m.

By letter, dated On July 16, 2020, Personal Protection requested further clarification from the office and was answered with a letter dated 6 August s.á.

Personal protection considered that there may be grounds for the imposition of an administrative fine in the amount of approx. 4,500,000 ISK as insufficient information security had caused the said security breach and the Office of the National Medical Examiner was sent a letter dated June 29, 2022, where the right to object was granted in that regard. They responded with a letter dated 13 September s.á.

After receiving the last-mentioned letter, further explanations were deemed necessary and they were requested in an email on November 24, 2022, which was answered on the 29th, but as a follow-up to this email communication, Personal Protection announced an on-site inspection at the Office of the National Medical Examiner with a letter dated 16 January 2023. It took place on 31. s.m. and March 8, 2023 when it was continued. As a result, a letter was received from the Office of the National Medical Examiner, dated March 13, 2023, together with supporting documents. The Personal Protection Authority then considered the need for additional data and requested them by letter dated April 4, 2023. The data was delivered on the 17th, but after receiving it, the Office of the National Medical Examiner was given the opportunity to comment on the description of the aforementioned field inspection, i.e. in an email on April 26, 2023. A reply was received from the office the next day.

In light of what the investigation of the case had now revealed, the Personal Protection Authority considered that there was reason to increase the estimated amount of the administrative fine to ISK 15,000,000, and the Office of the National Medical Examiner was sent a letter dated May 12, 2023, where the right to object to that increase was granted. The office's lawyer subsequently sent a letter to Personal Protection, dated 19. p.m., with a request for specific information and data, but that letter was answered with a letter dated 30. s.m. As a result, a letter was received from the Office of the National Medical Examiner, dated June 2, 2023, with objections on behalf of the office.

Taking into account the threat posed by the COVID-19 disease in Icelandic society and the pressure that the Icelandic health authorities were under for about two years after the notification of the Office of the Medical Examiner was received by the Data Protection Authority, the organization decided to prioritize other issues. However, when the situation returned to normal with the health authorities, the investigation of the case was started again.

2.
Explanations of the Office of the National Medical Examiner on 30 June 2020 and 6 August s.á.

In the explanations of the Office of the National Medical Examiner, it is stated that there was a fault in the connection cable due to communication with a system outside Heilsuvera. More specifically, controls on the API, which are activated when documents are retrieved from outside Heilsuver, did not have sufficient functionality to confirm rights to access data. There were two types of security vulnerabilities and it required some skill to exploit them. A user had to be logged in to Heilsuveru's website and enter a path in a browser that directed the user to health information that did not belong to him. The most likely method was to copy the URL from your own login and increase the counter in the URL. The two people who reported the security vulnerabilities had the necessary knowledge. Their purpose was not to cause damage or access personal information to unauthorized persons, and they both confirmed that they had deleted the data they retrieved in connection with the analysis of said security vulnerabilities.

In the explanations of the Office of the National Medical Examiner, it is stated that in what is referred to as case A, the communication between healthcare workers and users of Heilsuvera was accessible by unauthorized persons from 2015 to June 8, 2020. Anyone who was logged into Heilsuvera was able to access the communications by changing the identifiers in the connection strings. . The identity of the communications in connection strings is arranged in such a way that it is not possible to connect them to specific individuals. Therefore, the personal information of the users of Heilsuveru, such as names or social security numbers, or anything else that could refer to them, has not been disclosed. It also says that the review of the service provider Origo hf. on transaction files (e. logs) is not fully completed. Information technology company Syndis ehf. will review the results of Origo hf.'s analysis. on transaction registers after review.

In the explanations of the Office of the National Medical Examiner, it is said that what is referred to as case B is related to changes that were made to Heilsuvera on March 28, 2019, when a new unit, maternity care, was added to the website. An unauthorized person was able to download 205,407 attachments, some of which contained health information related to 41,390 individuals. The attachments were saved at the Suðurnesja Health Institute and contained pictures, PDF documents and Word documents. Only those persons who have been registered in Heilsuveru and have participated as parents in maternity care have had a realistic possibility of accessing data that did not belong to them. It also says that the review of Syndis ehf. on transaction logs revealed that no more unauthorized parties than the two who reported the security vulnerabilities had downloaded the attachments in question.

It also says that access to "My pages" was blocked as soon as the security vulnerabilities were noticed on June 8, 2020 and they were fixed. Syndis ehf. reviewed the analysis of the security vulnerabilities and examined the changes made by Origo hf. suggested to be done before the site was reopened. In addition, Syndis ehf. reviewed the system and confirmed that the changes made corrected the vulnerabilities after the site was reopened the same day. The company also looked at a new update on the website with permanent fixes on June 18, 2020, but it has, among other things, includes review of programming code and tests.

Finally, the office's explanations say that before Heilsuvera was opened to the public in October 2014, the IT company Security.is and the consulting company Admon ehf. audits of Heilsuvera. After that, assessments were made of new connections to Heilsuvera depending on the circumstances and taking into account changes in processing.

3.
Further correspondence

With a letter to the Office of the National Medical Examiner, dated On June 29, 2022, Personal Protection requested more detailed explanations, i.e. in relation to whether external parties had gained access to the information due to the security breach in question. The office was also informed that the agency considered there may be grounds for the application of an administrative fine in the amount of approx. ISK 4,500,000 as insufficient security of personal information at the office would have caused the breach, but in that connection reference was made to points b and d of paragraph 1. Article 32 and f-points 1. paragraph Article 5 of regulation (EU) 2016/679, cf. also paragraph 1 Article 27 and number 6. Paragraph 1 Article 8 Act no. 90/2018. The Personal Protection Agency also requested a copy of the result of Syndis ehf. on the analyzes of Origo hf. on transaction records.

They responded with a letter from the office, dated 13 September 2022. The letter states that in relation to what is referred to as case A, Origo hf. have been tasked with re-analyzing transaction files and no unauthorized searches have been found. Furthermore, it is said that in what is referred to as case B, sufficient attention was not paid to security issues in the part of the solution that fetched attachments to other organizations when a new unit, maternity care, was added to the website. It also says that further analysis has revealed that unauthorized parties were able to retrieve the attachments of Heilsuvera users from September 2019 and not on March 28, 2019. as previously stated in the office's explanations. During the time that the vulnerability in case B was present, 2,000 people downloaded documents related to maternity care on the web. The number of persons who could possibly have exploited the vulnerability is therefore limited. It also says that the numbers that were stated in the previous explanations of the office, ie. that unauthorized parties could have retrieved 205,407 attachments, some of which contained health information related to 41,390 individuals, would have been roughly estimated based on the most serious possible consequences of the security vulnerability.

It also states that only in exceptional cases were personally identifiable documents that could have been made available to unauthorized parties, and the position is expressed that the amount of a possible administrative fine should be reduced. It is noted in this regard that documents that were examined during a closer inspection were non-personally identifiable, e.g. sonograms, appointments and responses to medication refill requests. However, it cannot be ruled out that unauthorized parties could have downloaded attachments that contained health information.

In addition, it says that during the review of the service provider Origo hf. in the log files, no unauthorized accesses were found in the log files, with the exception of the accesses of the two unauthorized parties who downloaded the attachments in question and alerted us to the security vulnerability. Information technology company Syndis ehf. has carried out an assessment of the results of the analysis of Origo hf. and confirmed her result.

In the report of Syndis ehf. on an assessment of the analysis of said security weaknesses, dated September 13, 2022, comes i.a. until the aforementioned analysis of Origo hf. and its results were detailed and demonstrated that all the actions that could have been carried out due to weaknesses in the design of Heilsuveru had been investigated. According to Syndis ehf. would have been excluded as far as possible that the personal information of the users of Heilsuvera ended up in the hands of unauthorized parties. Then confirmed Syndis ehf. also that on June 8, 2020, the vulnerabilities in Health had been fixed.

4.
Additional data collection and field observation

When the break that occurred during the proceedings of this case ended, cf. conclusion of chapter 1 above, the Personal Protection Agency requested in an email, on November 24, 2022, that the Office of the National Medical Examiner provide explanations and compile data due to the security breach in question. First of all, it was requested, in connection with what is referred to as case A, that it be substantiated how it could be that no personal data of the users of Heilsuvera had been disclosed in their interactions with healthcare professionals, and that data be provided that demonstrated this, such as screenshots.

The response of the Office of the National Medical Examiner on November 29, 2022 states that at the time the breach occurred, about 75% of messages to healthcare workers were requests for medication renewal, where no personally identifiable information would have been received if the security flaw had been exploited. In addition, a large number of messages referred to negative results from the COVID-19 screenings, while positive results were called out. Messages that people sent to their health center were also limited in length and people tried to keep them as short as possible. The same applies to the answers of health centers, which were usually very short and did not contain a connection to the person in question. If someone had taken advantage of the security flaw, they would not have been able to see who the message belonged to unless the message or reply had personally identifiable information. In support of that, the answer contained a sample of how a query about medication renewal and a response to it look like in the interface of a person in Heilsuvera, but as you can see there, the name of that person appears in fixed fields in the interface that do not belong to the actual message that is viewed his time. The National Medical Examiner's office says in its response that if someone had taken advantage of the security flaw to view other people's messages, they would have seen their own name in the interface and not the name of the correct recipient of the message.

Secondly, it was requested by the Personal Protection Agency that the attachments that reached two unauthorized parties in what is referred to as Case B, as well as random tests of that data, be handed over, i.e. on m. sonar images, which other than the right recipients could otherwise access.

In the response of the Office of the National Medical Examiner, it is stated that neither the office nor Origo hf., its processor, have the attachments to which the aforementioned two parties had access. When they informed the Office of the National Medical Examiner about the security breach, they were contacted and asked to delete the data. During the investigation of the security breach and its likely consequences, however, it was investigated which data could have been accessed, i.e. with the creation of a random sample of data that could be seen by unauthorized persons. It was a defect that only individuals who were registered in maternity care could have taken advantage of. During that inspection, it was possible to produce sonograms and other data related to maternity care, but the data was not saved but only examined. After changing the system configuration, the data can no longer be generated.

In addition, it says that the Office of the National Medical Examiner is not the responsible party for the data in question, but rather the relevant health institutions that made it available to Heilsuvera users. However, the Office of the National Medical Examiner is fully responsible for the failure as the party responsible for the operation and development of the website, but would have to analyze the event registration back in time to find what data the relevant parties were able to produce and request it from the relevant health institutions. Unfortunately, there has not been enough time to date, nor to get random checks from the institutions for data that could otherwise become accessible to unauthorized persons. On the other hand, it is worth stressing that during the security breach, information only became available to registered users of maternity care who downloaded attachments there during the months when the security vulnerability was present. No traces were found that other than the two parties who identified the Office of the National Medical Examiner from him had access to data. Also, the service was not in use at all healthcare institutions, and the number of users who could access unauthorized data due to the breach was very limited, or less than 1,000 people.

Personal protection considered the above answers, together with samples of data, not sufficient to solve the case. By letter, dated On 16 January 2023, the Personal Protection Agency therefore called for an on-site inspection to examine further samples, and such an inspection was carried out at the premises of the Office of the National Medical Examiner on the 31st of January 2023. However, the necessary and requested data were not available at the time, and it was therefore decided that a field inspection would be held on February 6. with an examination of data that became accessible to unauthorized persons due to the breach, i.e. on m. a suitable sample of sonar images.

Due to unforeseen circumstances at the Personal Data Protection Authority, the examination was postponed until February 8, 2023. It was postponed again at the request of the Office of the National Medical Examiner due to the illness of an employee, and it was decided that the examination would continue on February 13, 2023. The office then requested a postponement again and a continuation was announced on the 15th. s.m. Before that time, a request was received from the office for further postponement, i.e. until March 1, 2023, in view of the absence of the data protection officer until then. The Personal Protection Agency considered that a postponement was unavoidable in order for the on-site inspection to be successful. A deadline was therefore granted until February 20, 2023, but no longer, as the Personal Protection Authority considered that, despite the importance of the role of the data protection officer, it was not a prerequisite for the examination of the data in question that he be present. A postponement was then requested with reference to the fact that the personal protection representative had taken care of all communications with Personal Protection regarding the case. Personal Protection agreed to this extension request, but noted that no further extensions would be granted. The continuation of the field observation then took place, i.e. March 8, 2023.

During the continuation of the observation, we first looked at what is called case A. It was a case of communication in the message section of Heilsuveru that had been chosen at random. First of all, it was a case of negative results from the COVID-19 screenings that had been sent to Heilsuvera on June 5, 2020, but the results did not contain personally identifiable information. Secondly, it was about all the communications that took place in the message section of Heilsuvera between 15.00 and 15.30 on the same day and were not related to the COVID-19 screenings. There were 151 message threads and seventeen times, or in about one out of nine cases, it was possible to identify which patient it was on the basis of one or more factors, such as the full name of the person written in the message, a rare first name, the location of a health center , a person's email address, phone number or social security number. It was noted by the Office of the National Medical Examiner that the path to the message was not visible in the browser bar and that it was necessary to go into the code itself and change the serial number to view individual communications.

After the aforementioned examination of data from the message section of Heilsuveru, samples of data, selected at random, that could be accessed in what is referred to as case B were shown. that it would also have been possible to access data from the Southern Health Institute. The samples that were shown belonged to the aforementioned institution and did not include ultrasound images, but the Data Protection Authority had requested samples of such images in the first part of the field inspection on January 31, 2023. Among the samples, however, were electrocardiograms, nursing letters and ambulance reports, among other things , and you could see a sticker on all the data with the ID number, name and address of the patient. It was confirmed what had been stated before that the registered people were around 40,000. It was then explained that women in the maternity care section of Heilsuvera, who were registered at the aforementioned health centers, had been given access to their sonograms inside the centers' medical records system and could then, by changing the URL, access other images that were registered there.

At the end of the on-site inspection, it was requested that the Data Protection Authority be sent the aforementioned data in connection with what is referred to as case A, and it was stated that a secure method of transmission should be used. The agency did not consider it necessary to receive the specific data that had been shown in connection with case B, and the opinion described above was deemed sufficient.

5.
Letter following field observation

Following the continuation of the field inspection, the Office of the National Health Service sent a letter dated March 13, 2023, along with the data requested during the on-site inspection, but the data had to be unlocked with a password sent separately from the data. As for what is referred to as case A, it is noted that there was no number in the URL and that it was necessary to go behind the scenes and deal with so-called parameters on the website in order to see a message from an unauthorized person. It is also said that after Heilsuveru's message section was put into use, health centers were initially reluctant to use it for anything other than medication refills. On June 8, 2020, about 600,000 communication threads were saved in Heilsuvera, but a large part were medication renewals without personally identifiable information, in addition to which 62,734 negative responses from the COVID-19 screenings were saved. For the most part, the messages did not contain text that made them personally identifiable, and considerable technical knowledge was required to take advantage of the said security flaw.

In relation to what is referred to as case B, it is noted that the expectant mother's access to the sonogram from the electronic maternity register was faulty so that it was possible to access other attachments at the health institution where the expectant mother attended maternity care. It is emphasized that at the time the security flaw was discovered, access had only been opened for expectant mothers who were in maternity care at the Health Center of Suðurnesja and the Health Center of Suðurlands. In order to use the security flaw, the mother-to-be had to have an ultrasound image as an attachment. In these two places, there are less than 200 births per year. Expectant mothers who had access to their maternity register at Heilsuvera at that time did not all have sonograms.

It is noted that the Office of the National Medical Examiner initially believed that the attachments, which expectant mothers could access, would very rarely have been personally identifiable. However, when examples from the Suðurnesja Health Institute were examined, it became clear that there were many scanned documents, many of which could be traced to individuals.

In addition, it says that when the security flaw was discovered in the first half of June 2020, various projects related to COVID-19 were worked on, i.e. on m. therefore a very extensive project to set up screenings for infections at borders. Despite these difficulties, the office believes that it would not have been possible to react in a better way when the security flaw was noticed.

6.
Additional data requested – Comments on field observation description

Personal protection considered the need for additional data related to what is referred to as case B, i.e. samples of sonar images, but as mentioned earlier, such images were not shown during the field inspection conducted on January 31 and March 8, 2023. The Office of the National Medical Examiner was therefore sent a letter dated April 4, 2023, requesting images like this that could be accessed by unauthorized persons due to the security breach, and it was noted that five images were considered a reasonable sample. Received as a result, i.e. April 17, 2023, five samples of sonar image data that could be opened, but each time it was on the one hand an ultrasound request of an expectant mother to Landspítali and on the other hand a collection of sonar images taken as a result of the request. Each request was identified with the mother's name and social security number, but her social security number was also on each photo.

After receiving this data, the Office of the National Medical Examiner was sent a description of what took place during the aforementioned field inspection, i.e. in an email on April 26, 2023. The office's response a day later confirmed what is stated in section 5 above about the number of mothers-to-be who were able to access data unrelated to them.

7.
Correspondence regarding an increase in the estimated fine amount

With a letter to the Office of the National Medical Examiner, dated On 12 May 2023, Personal Protection reported an increase in the estimated amount of the administrative fine in connection with the said security breach, i.e. from approx. 4,500,000 ISK in approx. 15,000,000 ISK and was granted the right to object on that point. In that regard, reference was made to the same provisions of Regulation (EU) 2016/679 and Act no. 90/2018 and had been mentioned in the objection letter on June 29, 2022, in addition to Article 25 of the regulation and Article 24 of the law. Subsequently, a letter was received from a lawyer on behalf of the office, dated May 19, 2023, where certain information and data were requested. That request was followed by a letter from the Personal Protection Agency to the lawyer, dated 30 p.m., and subsequently received a letter from the Office of the National Medical Examiner, dated June 2, 2023.

The letter covers the definition of item 11. Paragraph 1 3. Act no. 90/2018 on the term security breach, i.e. that it is a breach of security that leads to the realization of certain security threats. Says that the term therefore does not assume that possible access to personal information can fall under it, nor that what could have happened should be considered. Instead, the term covers when actual access is obtained to personally identifiable information. A distinction must therefore be made between when a flaw or weakness in a system can lead to, on the one hand, an external party being enabled or made easier to abuse their access to access information that does not belong to them, and on the other hand, information being provided in practice external parties. In this regard, it is described that the aforementioned security vulnerabilities in Heilsuvera were specifically created and exploited by an individual, a father-to-be, who is an educated computer scientist. His child's mother identified herself and logged into Heilsuveru's system with an electronic ID in order to view a sonogram. If the father-to-be, by virtue of his expertise and experience, made changes to the connection string as far as possible, in order to investigate whether it was possible to induce and exploit weaknesses in the system. Subsequently, he decided to investigate whether the same could apply to other system units within Heilsuveru and managed to perform a similar operation in the message section of the system. There, additional knowledge was needed, since the power plant needed development mode in order to be able to figure out the connection string. To confirm the existence of the weaknesses, the father-to-be contacted his colleague who confirmed them.

With reference to this, it is said that three things were necessary for the security of information to be threatened: firstly, the user had to be logged in to Heilsuvera with electronic credentials, secondly, they knew of the existence of said weaknesses, and thirdly, they had to have both knowledge and experience to perform the series of actions, one or more, that were required to produce them. Because of this, the Office of the National Medical Examiner disagrees with the fact that a certain number of attachments in the medical record systems were accessed by unauthorized persons through the Heilsuvera website between March 28, 2019 and June 8, 2020. According to the analysis of the action files, no one took advantage of the weaknesses apart from the two registered users identified earlier . These users also immediately reported the weaknesses to the office's processor, Origo hf., who also alerted the office. The weaknesses were actually only created and exploited by one person, under very limited circumstances, but he then asked another person to implement the weaknesses and presumably instructed him in that respect.

It is noted that as soon as the Office of the National Medical Examiner became aware of the weakness in question, the system was taken down and appropriate changes were made. All that can be said is that the response was as good as possible, but only 38 minutes have passed since Origo hf. became aware of the defect at 11.07 until the system was taken down at 11.45. In addition, it only took five hours. and four minutes to make the necessary fixes, verify that they were satisfactory, and return the system to service at 16.11. It is indisputable that no personal information was displayed or was displayed unauthorized in the system's interface and that the vulnerabilities were not created for other purposes, but simply to confirm them. To that end, the relevant users, of which there were only two, were given access to six documents from the maternity care section of Heilsuvera and three messages from users of Heilsuvera. Therefore, it is clear that the scope of the vulnerabilities was very limited and it is emphasized that special technical knowledge was needed to take advantage of them. In addition, there is beyond a reasonable doubt, in light of the circumstances of the case, that the probability of unauthorized access was negligible and that this has a significant impact on the assessment of whether it is even possible to apply the fines of the privacy legislation.

It is therefore not possible to consider what the scope could have been if certain users of Heilsuveru had decided to take advantage of the weaknesses to access information that did not belong to them. At the same time, there are operational records that confirmed that apart from the two persons in question, no one accessed information that did not belong to them, and that is a fundamental issue in the case. At the time in question, 82 women had attachments in the maternity care section of Heilsuvera, and they were the only ones able to access attachments from medical record systems that did not belong to them. Since all actions of logged-in users are recorded, the probability that unscrupulous parties took advantage of security weaknesses for illegal purposes was negligible, and it is essential to take into account what actually happened and not what could have possibly happened.

With reference to the above, the position is expressed that there has been no violation of paragraph 1. paragraph Article 27 Act no. 90/2018, cf. also number 6. Paragraph 1 Article 8 and Article 24 of the law. It is noted that in no way has it been substantiated in what way the last-mentioned provision was violated, but it is not based on the fact that Heilsuvera has been set up in such a way as to violate the principles of the privacy legislation, such as the minimization of data and in relation to to the rights of the registered. In addition, it was not based on the fact that information was kept for too long or that access permissions were not set correctly, but the latter point does not include illegal access due to a lack of security, but the allocation of access and system settings. It also says that it will not be seen what other issues related to built-in and default personal protection can be tried in the case and therefore it is completely rejected to try that issue. The fact is that great emphasis has always been placed on the installation of Heilsuveru, as well as the configuration and processing of personal information in the system, that the requirements of the provision in question are met. He also says that a requirement must be made that the government, which intends to impose fines, clearly reasons what the alleged offense should have been so that the right to object can be adequately protected, but this has not been done in this case.

Following this, considerations related to the announced fine amount are discussed. Says in this regard that if the Personal Protection Agency decides, against the objections of the Office of the National Medical Examiner, to impose a fine that amounts to 15,000,000 ISK, it can in no way be justified, while the two highest fines that the agency has applied to date, on the one hand, amounted to 7,500,000 ISK and on the other hand 5,000,000 ISK. That was described in the decision on the aforementioned fine, dated November 23, 2021 (case no. 2020092288), that processing authorization was lacking, that principles were not met, that education was insufficient, that adequate security measures were not taken and that a processing agreement was not concluded with the processor. In addition, it was specifically taken into account that 226,158 individuals received insufficient training in connection with the processing, and therefore it was a very large group of registered individuals. It was also stated in the decision on the latter fine, dated 3 May 2022 (case no. 2021040879), that processing authorization was lacking, that principles were violated and that personal data was transferred to a third country without adequate measures. Special consideration has also been given to the fact that those registered were children and that sensitive personal information was being processed.

It is stated in the letter from the Office of the National Medical Examiner that in the case under discussion there is a fine according to paragraph 2. Article 46 Personal Protection Act. The penalty limit according to that provision is half of the penalty limit that applies to the offenses to which the above two cases were related, i.e. according to paragraph 3 Article 46 of the law. Taking that into account, it cannot be seen that the announced fine amount is compatible with the proportionality and non-discrimination rules of the administrative law. In this regard, reference is made to the decision of the Personal Protection Authority, dated April 29, 2021 (case no. 2020010355), where a case was discussed where irrelevant information could be seen by changing a connection string in the same way as in what is referred to as case B. It is pointed out that as stated in in the aforementioned decision, two individuals obtained information on a total of 424 children in Iceland and Sweden and that a fine of 3,500,000 ISK was imposed. Furthermore, it is said that the extent of the said security weakness in Heilsuvera is in no way comparable or as extensive as in this case, since outsiders only retrieved information about nine individuals. It is noted in this connection that the information was verifiably more sensitive than in the older case, but on the other hand, it was a sensitive category of registered persons. Then the Office of the National Medical Examiner does not see that other incidents now justify almost five times the amount of the fine.

After that, the individual issues that must be considered when applying the Personal Protection Authority's sanctioning powers are reviewed in light of paragraph 1. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of regulation (EU) 2016/679. As far as the nature and seriousness of the offense (subsection 1 of the legal provision) is concerned, it is emphasized that what was previously stated is that the fine framework according to paragraph 2. Article 46 of the Act and not paragraph 3 the same articles. It is noted that even if reference is made to section 6. Paragraph 1 Article 8 of the law, cf. point f, paragraph 1 Article 5 of the regulation and number 1 Paragraph 3 Article 46 of the law, the alleged lack of adequate security measures will not be considered a serious offence, as it would have no meaning to include the alleged offense under the lesser penalty, cf. Number 1. Paragraph 2 Article 46 of the Act and Article 32 of the regulation, cf. also paragraph 1 Article 27 of the law. It also says that the security breach only lasted for 5 hours. and 4 minutes, and it is objected that the duration should be based on how long security weaknesses, which registered users could technically abuse, were present, cf. the discussion by the Office of the National Medical Examiner on the concept of security breach, which is discussed above.

In addition, reference is made to the purpose of processing personal information in Heilsuvera to provide users with health services, i.e. to all the public in the country, electronic access to such services by its providers. The Office of the National Medical Examiner is entrusted with the task of ensuring electronic communication between these parties and at the same time promoting the efficient use of the limited resources that the health system has. The purpose of the electrification of maternity care was, among other things, to ensure the safety of expectant mothers by promoting that the necessary information was always available to those who provide them with services and also to the expectant parents themselves. In this way, electronic communication is made safer, as well as reducing the burden on healthcare institutions and ensuring that the necessary information is stored in the medical record. It cannot be avoided to point out that the activities of the Office of the National Medical Examiner are not profit-driven and include services in the public interest that are important to all citizens in the country. If this has generally led to a reduction in the possible amount of fines in the implementation of Personal Protection, but why the aforementioned security weaknesses in Heilsuvera were exploited by outsiders, i.e. for the sole purpose of verifying the weaknesses, should lead to the same.

It is noted that the scope of the security breach should take into account what is stated earlier about the delimitation of the Office of the National Medical Examiner on the duration of the breach, as well as the number of persons on whom outsiders sought information. In this connection, the position is also emphasized that what could have happened due to the said security weakness should not be taken into account. It is objected that the medical record information of tens of thousands of individuals was discussed, given that the information was demonstrably not accessible to unauthorized parties during the period that the vulnerability was present, even though it made it easier for unauthorized persons to abuse the system to access other people's information . This means that the extent of the security breach must be assessed so that two persons have examined a total of nine documents that belonged to nine persons and the Office of the National Medical Examiner must assess how limited the breach was. Then it should be assessed to the office's benefit that no registered person has suffered damage.

Regarding whether the offense was committed intentionally or negligently (item 2, paragraph 1, article 47, Act No. 90/2018), it is said indisputably that no registered person has suffered damage. In relation to actions to reduce losses to registered persons (paragraph 3 of the provision), it is also noted that the Office of the National Medical Examiner immediately took action to limit the likelihood of losses due to the security breach in question, but that the weakness in Heilsuveru was rectified on the same day and externally experts brought in to ensure that adequate measures had been taken.

As far as responsibility with regard to technical and organizational measures is concerned (paragraph 4 of the legal provision) it says that an audit was carried out on Heilsuvera before the messaging functionality was activated and it was found that all authorizations for lookups were based on user ID numbers. By mistake, that functionality was not implemented in the same way in what is referred to as case A, and the same configuration that was reused there when the maternity protection part was added, cf. what is referred to as case B. It is possible that a more detailed evaluation would have caught the weakness, but this cannot be conclusively stated. However, the security of personal information was the main design premise of Heilsuvera and it was based on the main goals of the Office of the Medical Examiner regarding the security of internet and information systems in healthcare, i.e. on m. that all information in the network and information systems of those who provide healthcare services is adequately protected against all threats, internal and external, whether they arise from intent, accidents or accidents.

In this regard, it is further stated that among the measures taken by the Office of the National Medical Examiner to ensure the security of information in Heilsuveru is the use of a three-layer configuration where the web, web services and database are hosted on three different servers with firewalls between them, but this configuration ensures the security of information as best as possible. will be preferred against intrusions and make it very difficult for unauthorized persons to access the system's data; that Heilsuvera itself stores a very limited amount of data and at the same time encrypts all personally identifiable information, but is based on information retrieved through encrypted communications via a closed health network (Hekla) in the medical record system of those who provide health services, i.e. in portals they operate; that all communications between user devices and Heilsuvera's web servers are encrypted and based on approved device credentials; that Heilsuveru is chosen as hosting by tender from the most powerful hosting providers in the country, while the current hosting provider, Origo hf., is certified to comply with the ISO-27001 security standard; that the system is protected with very powerful hacking protection, together with strict monitoring of hacking attempts, but that monitoring has, among other things, identified tests that Syndis ehf. has done for the Ministry of Cyber Security and which no public authorities have become aware of; and that the action registration in Heilsuveru is very detailed and all actions are recorded, but this has meant that only those who reported the mentioned weakness took advantage of it.

In relation to whether previous offenses should have an effect (item 5, paragraph 1, article 47, Act No. 90/2018), it is stated that no such relevant offenses are tried. Regarding the extent of cooperation with the Personal Protection Agency (item 6 of the provision) it also states that when a security breach was reported to the Personal Protection Agency, not all information was available about its nature and extent, such as the possible number of persons that the breach might affect. The main focus on the part of the Office of the National Medical Examiner was to carry out the statutory reporting obligation to the Data Protection Authority and to assess to the best of its knowledge the number of persons and files that could possibly be affected by the breach. Subsequently, the information was passed on to Personal Protection as a better overview was obtained, but it became clear at a later stage that the extent of the security breach was much, much smaller than initially intended, but it became clear that no one other than those who report the security vulnerability in question had exploited it.

Reference is made to the right of objection letter from Personal Protection, dated May 12, 2023, to the effect that contradictory and substantively incorrect explanations were given during the handling of the case. The Office of the National Medical Examiner strongly objects to this and says that its explanations have always taken into account the best available information. When the Personal Protection litigation ended and further explanations and data were requested, the scope and nature of the security breach finally became clear, but information regarding that was not available from the Office of the National Medical Examiner and the processor. The reason for this is the structure of Heilsuveru, but as mentioned earlier, data is not stored in the system itself but at the relevant health institutions, although with the exception of messages that are saved centrally to ensure user access and the efficiency of the system. It also says that the message is considered medical record information and the health institutions are therefore responsible for it in the same way as for other data. The Office of the National Medical Examiner does not have the authority to gain access to data stored at the institutions, nor does it have control over how it is stored and whether it is marked as individuals or not. Therefore, the office was not in a position to investigate this in detail, as the Personal Protection Agency was informed about in the first part of the on-site inspection on 31. January 2021. In accordance with the request expressed by the institution, the office obtained samples of the data in question and then considered that it was only sonar images. However, during the examination of documents at the request of the Data Protection Authority, it was found that this was not the case, and that the relevant health institution followed the practice of marking all attachments in the medical record system with the name and ID number of the patient in question before they were scanned. That was not expected and the Office of the National Medical Examiner informed the Norwegian Data Protection Authority about it in the second part of the site visit on March 8, 2023, but according to that the explanations of the office were never materially contradictory and incorrect, but based on the available information in each case. It was also normal for them to change during a closer inspection, which the Office of the National Medical Examiner was unable to do on its own initiative. In addition, the Office of the National Medical Examiner refers to the discussion in the aforementioned right of objection letter, to the effect that there have been delays in granting access to data for the purpose of investigating the case, i.e. on the aforementioned sonograms. It is emphasized in this regard that it is not possible for the office to access the data in question on its own initiative. It is also objected that there were delays in the delivery of the requested sonar images, as this was the understanding of the Office of the National Medical Examiner and representatives of Origo hf. during the on-site inspection that the delivery of such photos was not necessary as it had been stated during the inspection that they were personally identifiable. Therefore, at first, only samples of other types of attachments were provided, but in addition, the Personal Protection's messages were answered as quickly as possible, and in cases where it happened later than requested in the organization's letters, it was always within the extended response deadline that the institution has agreed to provide. There were various reasons for the need for a postponement, such as the fact that the Personal Protection's letter was received when most of the employees were on summer vacation and that it turned out that the responsible employee of the Personal Protection was also there when the original response deadline had passed. Furthermore, it can be considered that the postponement of the on-site inspection was due to the illness and leave of the staff of the Office of the National Medical Examiner, as well as the fact that the Personal Protection Agency itself postponed the first part of the inspection due to uncontrollable circumstances. It can also be pointed out that the request for data in November 2022 was received after standard office hours on Thursday and a response was requested before noon on Tuesday, as well as data that the Office of the National Medical Examiner was unable to access.

It is noted in this regard that when a security breach was noticed, very drastic measures were taken and Heilsuvera was shut down while weaknesses in the system were identified and fixed. It is stated that this should be assessed in favor of the Office of the National Medical Examiner and it is stated that it involves a clear violation of the proportionality principle of administrative law to assess as burdensome the fact that there was no full knowledge of the nature and extent of the security breach at the beginning and it turns out to be less serious than there was an appearance. It also says that it also involves a violation of proportionality to let the delay in answers and the delivery of data lead to a large increase in fines. It is difficult to see that this has had any effect on the progress of the case, but almost two years have passed between the answers that the Office of the National Medical Examiner gave to Personal Protection in August 2020 until the right of objection letter in connection with the application of the penalty warrant was received in June 2022. Since the said weakness in Heilsuvera was repaired on the same day, if there was no ongoing security threat, the procedure would be expedited two years later.

As regards the categories of personal information affected by a breach (item 7, paragraph 1, article 47, Act no. 90/2018), reference is made to the fact that according to the aforementioned letter from the Personal Protection Agency, dated May 12, 2023, the medical record information of tens of thousands of individuals is involved. This is completely contested and confirmed by what was previously stated that the security breach only affected nine individuals. It also says that, despite the objections of the Office of the National Medical Examiner, although the Personal Protection Authority believes that there must be a more serious breach that could have occurred, it is not at all certain whether the persons concerned would have all been personally identifiable. In addition, reference is made to the fact that, according to the aforementioned letter, about one out of nine specific message threads, which were examined during the field inspection, were personally identifiable. In relation to that point, it is noted that the message in question was sent during the Covid-19 epidemic and that the use of Heilsuvera was then somewhat changed and increased in scope from what it was before. In this way, Personal Protection here only relies on a very limited sample of messages sent on a specific day around the time the security breach was discovered, and non-personally identifiable responses about negative Covid-19 screenings are not included in the sample. It is then unclear whether the messages that the Personal Protection Authority assesses as personally identifiable messages were in reality, as there is no overview of the Personal Protection Authority's assessment. In this regard, the recent judgment of the European Court of Justice from April 23, 2023 in case no. T-557/20, but according to that judgement, when assessing whether it is personally identifiable information, it must be considered how likely it is that the person receiving the data can identify it personally.

Regarding the way in which the Personal Protection Agency was alerted to a breach (item 8, paragraph 1, Article 47 of Act No. 90/2018), it is undisputed that the Office of the National Medical Examiner reported the security breach to the Personal Protection Agency. Regarding compliance with instructions on remedial measures (item 9 of the provision) it is said that the Personal Protection Authority has not given such instructions to the office, as it has taken the necessary measures on its own initiative to prevent the harmful consequences of a security breach. In relation to compliance with recognized codes of conduct or recognized certification arrangements (item 10 of the provision) it says that no codes of conduct have been approved that are relevant to the case. It also states about other aggravating and mitigating factors, such as profits resulting from an offense (item 11 of the provision), that the Office of the National Medical Examiner did not profit from the security breach in question, and it is also emphasized that in light of the proportionality principle of administrative law, a fine is considered all too high and not in accordance with the previous penalty decisions of the Personal Protection Agency.

At the end of the letter from the Office of the National Medical Examiner, it is stated that it is seriously concerned about the precedent that the Personal Protection Authority may set here, not least in view of the fact that a very limited security breach was discussed due to the access of two computer scientists to very limited data. They deleted them immediately and informed the office about the weakness. It is well known, both in Iceland and abroad, that experts like these look for weaknesses, whether requested or unsolicited, and report them to responsible parties. Large companies therefore often have a special arrangement to request such suggestions in return for payment (e. bug bounty). It is absolutely clear that with a guilty verdict in this case, this may become very difficult, and the parties responsible may become afraid to report a security breach to the Personal Protection Agency. That is certainly not the purpose of the privacy legislation.

In addition, it is noted that the Office of the National Medical Examiner attaches great importance in all its activities to working with data and personally identifiable information in accordance with current legislation, including in the field of personal protection. All suggestions on how to do better are welcomed, but the office does not agree with the conclusion of the Personal Protection Agency that it has violated the personal protection legislation in such a way that it justifies the amount of the fine that has been announced.

II.
Conclusion
1.
Scope – Responsible party

It is clear that in what is referred to as case A, the communication between healthcare workers and users of Heilsuvera was accessed by unauthorized persons from 2015 to June 8, 2020. It is therefore clear that the situation under consideration was partly during the period of validity of Act no. 77/2000 on personal protection and processing of personal information, but that law was replaced on July 15, 2018 by law no. 90/2018 on personal protection and the processing of personal data, which also codified the personal protection regulation, (EU) 2016/679, as it was adapted and included in the EEA Agreement. Since the rules of the law on personal protection that are tested in case A have not changed materially, it will be solved on the basis of the regulation and law no. 90/2018.

Scope of law no. 90/2018 and regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act and paragraph 1 Article 2 of the regulation, and thus the authority of Personal Protection, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of personal data that is or is to become part of a file by methods other than automatic.

Processing refers to an operation or series of operations where personal data is processed, whether the processing is automatic or not, cf. Number 4. Article 3 of the Act and number 2 Article 4 of the regulation.

Personal information is information about an identified or identifiable person, and a person is considered identifiable if it is possible to identify him, directly or indirectly, with reference to his identity or one or more factors that are characteristic of him, cf. Number 2. Article 3 of the Act and number 1 Article 4 of the regulation.

This case concerns security vulnerabilities that caused a security breach on a website where individuals are given access to their information from the healthcare system. Accordingly, and taking into account the above-mentioned provisions, this case concerns the processing of personal data that falls under the authority of the Personal Protection Agency.

The person responsible for the processing of personal information is compatible with Act no. 90/2018 and Regulation (EU) 2016/679 is the named responsible party. The responsible party is an individual, legal entity, government or other entity that determines, alone or in cooperation with others, the purpose and methods of processing personal data, cf. Number 6. Article 3 of the Act and number 7 Article 4 of the regulation. In this regard, here is an attempt to determine who is responsible for ensuring the security of personal information in Heilsuvera. It is clear that the Office of the National Medical Examiner plays a central role in accordance with Article 4. regulation no. 550/2015 on medical records, cf. Paragraph 1 Article 24 Act no. 55/2009 on the same topic, but in this regard, reference can be made to the notification about "My pages" on Heilsuveru that Personal Protection received on January 24, 2018 (no. S8538, case no. 2018010115 at the agency) from the office on the basis of Article 31. the then-current Personal Protection Act, no. 77/2000. As is the case here, the office is therefore considered to be the party responsible for the processing in question.

2.
Security and security breach rules

All processing of personal data must be compatible with the principles of paragraph 1. Article 8 Act no. 90/2018 and paragraph 1 Article 5 of regulation (EU) 2016/679. According to number 6 of the legal provision and section f of the provision of the regulation, personal data must be processed in such a way that their appropriate security is guaranteed.

The security of personal information is discussed in more detail in Article 32. of the regulation, cf. Paragraph 1 Article 27 of the law. According to paragraph 1 of the provisions of the regulation, the responsible party shall, taking into account the latest technology, the cost of implementation and the nature, scope, context and purpose of the processing and risks, unlikely and of varying severity, to the rights and freedoms of individuals, take appropriate technical and organizational measures to ensure adequate security in relation to the risk, such as can ensure ongoing confidentiality, continuity, availability and load resistance of processing systems and services (point b) and adopt a process to regularly test and evaluate the effectiveness of technical and organizational measures to ensure the security of processing (point d). When assessing acceptable security, the risks that the processing entails must be taken into account, e.g. that information will be published or that access will be granted to it without permission, cf. Paragraph 2 Article 32 of the regulation.

In addition, it is prescribed in Article 25. of the regulation, cf. Article 24 of the law, measures must be taken to ensure built-in and default personal protection. More details are stated in paragraph 1. provision of the regulation that, taking into account the same issues as mentioned in paragraph 1. Article 32 of the regulation, the controller shall, both when determining the methods of processing and when the processing itself takes place, take appropriate technical and organizational measures, such as the use of artificial identifiers, designed to enforce the principles of personal protection, such as data minimization, in an efficient manner and incorporate the necessary protective measures into the processing to meet the requirements of the regulation and protect the rights of data subjects. Then it says in the 2nd paragraph Article 25 of the regulation that the responsible party shall take appropriate technical and organizational measures to ensure that by default only the personal data that is necessary for the purpose of the processing is processed at any given time. This obligation applies to how much personal data is collected, to what extent it is processed, how long it is kept and access to it. Shall in particular ensure that it is a given that personal data will not be made available to an unlimited number of people without the intervention of the person concerned.

The term security breach is defined in section 11. Article 3 of the Act and number 12 Article 4 of the regulation, i.e. which lacks security that results in the unintentional or unlawful destruction of personal information or that it is lost, changed, disclosed or accessed without permission. If there is a security breach in the processing of personal data, the responsible party must report it to the Personal Protection Agency, unless it is unlikely that the breach will lead to a risk to the rights and freedoms of individuals, cf. Paragraph 2 Article 27 of the law, cf. Paragraph 1 Article 33 of the regulation. The responsible party must also notify the registered person of a security breach without undue delay if it is likely that the breach will result in a high risk for the rights and freedoms of individuals, cf. Paragraph 3 Article 27 of the law, cf. Paragraph 1 Article 34 of the regulation.

When the responsible party becomes aware of a security breach, it is important that they immediately take appropriate action to prevent further damage or risk as a result of the security breach, as well as consider how to prevent a similar security breach from happening again. When assessing which measures are appropriate, the responsible party must, among other things, refer to Article 32. of the regulation.

The fact that the responsible party takes appropriate and adequate measures reduces the likelihood that the Personal Protection Authority will impose fines according to Article 46. of the law, cf. Article 83 of the regulation. Furthermore, it is clear that failure to comply with the obligation to report security breaches increases the likelihood of a fine being imposed.

3.
Conclusion on safety

It is known that a security weakness within Heilsuveru led to the fact that after logging in to the website it was possible to use so-called parameters in its message section in order to see unauthorized messages (i.e. by right-clicking on the computer mouse to access a code on a specific page on the website and then change it to see another page in the area). Furthermore, it is known that expectant mothers, who were registered in the maternal care section of Heilsuveru at the Health Center of Suðurnesja and the Health Center of Suðurland, were able to change the URL of a sonogram image that they were given access to from the medical record system in order to see other images within the system, i.e. attachments that were saved there.

It has been stated that two users of the website accessed the information of other users on the basis of said weaknesses, which involved a lack of security within the meaning of section 11. Article 3 Act no. 90/2018 and No. 12 Article 4 of regulation (EU) 2016/679. It has also been stated that information about unauthorized persons could be accessed due to the weakness in the message section of Heilsuveru from 2015 to June 8, 2020, as well as that certain users were able to retrieve attachments from medical record systems that did not belong to them from September 2019 to the same day, including .e. June 8, 2020.

In the explanations of the Office of the National Medical Examiner, it has been claimed that there have been exceptions where users have been able to access information that could be traced to other users in the message section of Heilsuvera. From the data that was examined in the field examination, cf. Chapter 4 in Part I above, however, it can be clearly considered that it was quite common for personally identifiable information to appear in the text of messages, but a sample of 151 message threads was examined where in approx. in every ninth case, or 17 times, an individual could be identified in the opinion of the Data Protection Authority. It should be noted that the results of negative COVID-19 screenings were not included here, but it is clear that they were not traceable to individuals. However, it should also be noted that in the 17 cases in question, where information is considered to have been personally identifiable, items appeared, alone or together with others, that are well known to be attributable to certain individuals, such as a rare first name, telephone number or social security number, cf. more detailed description in chapter 4 of part I. The Swedish Personal Protection Agency therefore does not consider the traceability of the information to be particularly questionable, but in addition there is no reason to believe that the sample in question is in any way atypical as far as personally identifiable information in message threads is concerned.

It has also been stated in the explanations of the Office of the National Medical Examiner that, as an exception, it has been heard that attachments that became accessible could be linked to the person they belonged to. During said field inspection, however, it was found that the attachments, which were randomly selected for inspection, were all marked with personal identifiers. The same applies to attachments obtained by the Personal Protection Agency following an on-site inspection, i.e. sonar images that could be accessed by unauthorized persons. According to this, it must be considered as an exception that personal information was not identified to the person concerned.

In this regard, it is necessary to consider that information about health is sensitive personal information, cf. b-point 3. no. Article 3 Act no. 90/2018 and paragraph 1 Article 9 of regulation (EU) 2016/679. Such information enjoys special protection under the personal protection legislation, and unauthorized access to it poses a serious risk to the rights and freedoms of registered individuals.

Considering the role played by Heilsuveru's information website, it is extremely urgent that appropriate technical and organizational measures are taken to ensure security in the processing of personal information, cf. Paragraph 1 Article 27 Act no. 90/2018 and further provisions of paragraph 1. Article 32 of regulation (EU) 2016/679. As is the case here, measures to ensure ongoing confidentiality are tested, cf. Point b of the latter clause, and to regularly test and evaluate the effectiveness of security measures, cf. point d of the same provision. In addition, Personal Protection believes that, in light of the sensitive nature of the information in question, special efforts have been made to built-in and default personal protection, cf. Article 24 of the Act and Article 25 of the regulation, i.a. as regards the limitation of access to information, cf. Paragraph 2 of the provisions of the regulation, as was specifically pointed out in the right of objection letter, dated May 12, 2023. However, it is clear that due to weaknesses in Heilsuvera, users were able to access information about unauthorized persons for a long time, as described earlier.

In the opinion of the Data Protection Authority, the Office of the National Medical Examiner therefore did not ensure the security of personal information on Heilsuvera's information website in the manner required in the provisions of paragraphs b and d of paragraph 1. Article 32 of regulation (EU) 2016/679, cf. Paragraph 1 Article 27 Act no. 90/2018. Furthermore, built-in and default personal protection was not adequately ensured, cf. Article 25 of the regulation and Article 24 of the law, in addition to the fact that, in light of insufficient information security, there was a violation of point f of paragraph 1. Article 5 of the regulation and number 6. Paragraph 1 Article 8 of the law as it is here.

4.
Perspectives on the application of sanctions

Next comes up for consideration as to whether the Office of the National Medical Examiner should apply administrative fines, cf. Article 46 Act no. 90/2018, cf. also Article 83 of regulation (EU) 2016/679. As stated in paragraph 1. Article 46 of the Act, Personal Protection may, among other things, impose an administrative fine on any controller or processor pursuant to paragraph 4. of the provision that violates any of the provisions of the regulation listed in paragraphs 2 and 3. its

More specifically, it is being examined here whether a fine should be imposed on the office of the National Medical Examiner for an offense that is directed against, on the one hand, points b and d of paragraph 1. Article 32 and Article 25 of the regulation, cf. penalty authority in paragraph 1 and number 1. Paragraph 2 Article 46 of the Act and point a of the 4th paragraph Article 83 of the regulation, and the other against point f of paragraph 1. Article 5 of the regulation, cf. penalty authority in paragraph 1 and number 1. Paragraph 3 Article 46 of the Act and point a of the 5th paragraph Article 83 of the regulation. As regards the fact that the same offense is subject to two fines at the same time, it should be noted that when insufficient information security is considered particularly serious, such as in light of the sensitive nature of the information, the Personal Protection Authority believes that in addition to Article 32 and Article 25 of the regulation, cf. and the relevant penalty authority, the principle of information security is activated according to point f of paragraph 1. Article 5 of the regulation and thus the penalty authority it is subject to.

When deciding on the imposition and amount of a fine, paragraph 1 must be considered. Article 47 Act no. 90/2018, cf. Paragraph 2 Article 83 of the regulation. There are listed issues that can either be relevant for the benefit of the case or to his disadvantage, and the ones that will be tried in this case will be discussed here.

a. Nature, scope and purpose of processing

According to number 1 Paragraph 1 Article 47 Act no. 90/2018, cf. a-point 2. paragraph Article 83 of Regulation (EU) 2016/679, the nature, severity and duration of the breach must be taken into account, with regard to the nature, scope and purpose of the processing, as well as the number of registered persons affected and the serious damage they suffered.

It is clear that this was a security vulnerability that affected extensive sensitive personal information about a large number of individuals over a fairly long period of time. Could everyone, who had access to Heilsuvera, in approx. five years of inappropriate messages in the message section of the website, as well as approx. For a period of ten months, it was possible to access attachments from the medical record systems at the Southern Health Institute and the Southern Health Institute. The group that was able to open these attachments, however, was limited to expectant mothers who attended services at the mentioned two healthcare facilities, but as stated in the explanations of the Office of the National Medical Examiner, almost two hundred babies are born in Suðurlandi and Suðurnesjar a year. It is not known that individuals have suffered losses due to the weaknesses. In this regard, however, it should be noted that the serious consequences that these weaknesses can have will not be ignored, such as in light of the possibility of retrieving large amounts of information with specially designed programming.

b. Subjective position

According to number 2 Paragraph 1 Article 47 Act no. 90/2018, cf. point b, paragraph 2 Article 83 of Regulation (EU) 2016/679, it should be considered whether the violation was committed intentionally or negligently.

It is clear that the security vulnerability in question was caused by negligence. It should also be noted that he was involved in the processing of personal information from the health system, i.e. on m. in order to give individuals access to information from medical record systems. Therefore, special care should be taken.

c. Actions to reduce losses to registered persons

According to number 3. Paragraph 1 Article 47 Act no. 90/2018, point c, paragraph 2 Article 83 of regulation (EU) 2016/679, the actions taken in order to reduce the loss of registered persons should be taken into account.

In this regard, it is important that the Office of the National Medical Examiner reacted immediately when the security breach was noticed and prevented its harmful consequences. The office then reported the security breach to Personal Protection and underwent a technical audit to make sure that individuals had not been harmed.

d. Scope of responsibility in terms of technical and organizational measures

According to number 4. Paragraph 1 Article 47 Act no. 90/2018, cf. point d, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider how much responsibility the controller or processor has with regard to technical and organizational measures.

As explained in chapter 1 above, the Office of the National Medical Examiner plays a central role in the security of personal information in Heilsuvera. In other respects, the office has overseen central information systems within the health system in light of Article 4. regulation no. 550/2015 on medical records, cf. Paragraph 1 Article 24 Act no. 55/2009 on the same topic. The office therefore has a lot of responsibility in relation to security in such systems, and the Personal Protection Authority takes the said security weakness seriously in light of this, but the fundamental point is that it is not possible to see data about unauthorized persons in such a way, which actually happened.

At the same time, however, it is necessary to consider the explanations of the Office of the National Medical Examiner on the security measures implemented in Heilsuvera with regard to the security of personal information in general, which include encryption in communications, hosting by a party with certification according to the security standard ISO-27001, intrusion prevention and activity registration. Among other things, it can be considered clear that with the action registration it was possible to reduce the consequences of illegal access to data due to the said security weaknesses, i.a. where traceability of lookups can speed up the necessary response.

e. Scope of cooperation with the Personal Protection Agency

According to number 6 Paragraph 1 Article 47 Act no. 90/2018, cf. point f, paragraph 2 Article 83 of regulation (EU) 2016/679, the scope of cooperation with the Personal Protection Agency should be considered in order to remedy the breach and reduce its harmful effects.

As described in point c above, the Office of the National Medical Examiner has, on its own initiative, taken the necessary measures to prevent the harmful consequences of the security breach in question. As far as cooperation with the Data Protection Agency is concerned, however, the delays that occurred in granting access to data for the purpose of investigating the case, as well as the contradictory and materially incorrect explanations that the agency received, should be taken into account. In this regard, refer to the discussion in chapter 3 above and 2.-4. and Chapter 6 of Part I of this decision. As can be seen from the review that these chapters contain, it was originally stated that, among other things, unauthorized access to attachments with information about tens of thousands of individuals, i.e. on m. images, pdfs and word documents. Later, however, it was indicated that this access had not really been as extensive as it appeared at first, and the Office of the Medical Examiner asserted in a letter to the Data Protection Authority that only in exceptional cases would personally identifiable documents have been involved. It was then added that the documents had been related to maternity care and that attachments that had been examined in this connection had turned out to be non-personally identifiable. Personal Protection had requested samples of attachments without even sending them to the institution, and it was decided to carry out a field inspection, which was carried out in two parts, as the requested data was not initially available. During the inspection, it became clear that it was not only data related to maternity care, but also attachments from the medical record system, which were selected for examination at random, all with personal identifiers. Sonogram images were not among the attachments that were shown, even though there was a request from the Data Protection Authority in that regard, but such images were sent to the organization later and were all identified to the expectant mother.

In light of this, it will be considered improbable that only non-personally identifiable data could have been found during the examination of said attachments, which would have been carried out in a normal manner. In this regard, the Office of the National Medical Examiner has pointed out that it does not have direct access to the attachments, as they are not stored in Heilsuvera. It should be noted in this connection that the claim could be made nevertheless that it was aware of their identification, cf. and section f below. It should also be noted that Personal Protection takes the contradictory and materially incorrect explanations that have been traced here, as well as the repeated delays in responding to data requests, seriously.

f. Categories of personal information

According to number 7 Paragraph 1 Article 47 Act no. 90/2018, cf. point g, paragraph 2 Article 83 of Regulation (EU) 2016/679, it is necessary to consider which categories of personal data were affected by a breach.

In that connection, it is pointed out that this is about health information that will enjoy special protection, cf. and point a and chapter 3 above. Then it must be considered particularly serious that, among other things, it was possible to access information from medical record systems without proper authorization, but for security in such systems, particularly strict requirements must be made, cf. both the aforementioned provisions on information security in the personal protection legislation and special provisions in Act no. 55/2009 on medical records.

As regards the identification of the medical record data in question, and whether the Office of the National Medical Examiner was able to control it, it should be noted that when granting access to attachments in such systems, the office should check whether it is personally identifiable data, as it is a fundamental issue assessment of the acceptable security level.

g. Other aggravating and mitigating factors

According to number 11 Paragraph 1 Article 47 Act no. 90/2018, cf. k-item 2. paragraph Article 83 of Regulation (EU) 2016/679, other aggravating or mitigating factors related to the circumstances of the case, such as profits obtained or losses avoided, directly or indirectly, as a result of an infringement, should be considered.

In this regard, it should be noted that the point of view of profit or loss is not tested here, as the Office of the National Medical Examiner is a public institution that is not run for profit, but to fulfill a role defined by the legislature. This role includes extensive processing of sensitive personal data, and the Office of the National Medical Examiner has a strong responsibility to ensure adequate security during that processing. At the same time, special consideration must be given to the public service role played by the office, which serves, among other things, to reduce the amount of the fine that is determined. It can then be considered that what has been mentioned as case A, i.e. the possibility of accessing unauthorized information in the message section of Heilsuveru, existed to a large extent before the current privacy legislation came into force and with it the authority of the Personal Protection Agency to impose administrative fines.

5.
Conclusion on imposition and amount of fine

As explained in chapter 3 above, it is clear that the Office of the National Medical Examiner violated point f of paragraph 1. Article 5, Article 25 and points b and d of paragraph 1. Article 32 of regulation (EU) 2016/679. Appears in paragraph 1, item 1. Paragraph 2 and number 1. Paragraph 3 Article 46 Act no. 90/2018, cf. Paragraph 2, point a, paragraph 4. and point a of paragraph 5. Article 83 of the regulation, that violations of these provisions may result in administrative fines.

When determining the amount of the fine, special consideration must be given to the sensitive nature of the information in question, its scope, as well as the contradictory and factually incorrect explanations received from the Office of the National Medical Examiner. At the same time, however, the office's actions must be taken into account in order to prevent the harmful effects of a lack of security, the public service role of the office and the security measures in Heilsuveru. In the light of these points, it is possible to consider a reduction of the administrative fine from what was assumed in the right of objection letter of May 12, 2023, and the administrative fine is considered to be a reasonable amount of ISK 12,000,000.

Decisions:

The Office of the Surgeon General did not adequately ensure the security of personal information in the message section of the Heilsuveru website from 2015 to June 8, 2020, cf. point f, paragraph 1 Article 5, Article 25 and points b and d of paragraph 1. Article 32 of regulation (EU) 2016/679, cf. Number 6. Paragraph 1 Article 8, Article 24 and paragraph 1 Article 27 Act no. 90/2018. The office violated the same provisions from September 2019 to June 8, 2020 when granting access in the maternal care section of Heilsuvera to data in the health record systems of the Southern Health Institute and the Southern Health Institute.

A fine of ISK 12,000,000 is imposed on the Office of the National Medical Examiner. The fine must be paid to the treasury within two months from the date of this decision, cf. Paragraph 6 Article 46 Act no. 90/2018.





Privacy, June 27. 2023,

Ólafur Garðarsson

chairman

Björn Geirsson Árnína Steinunn Kristjánsdóttir

Vilhelmína Haraldsdóttir            Þorvarður Kári Ólafsson