Rivas Zorggroep, a healthcare group providing home and hospital care in the Netherlands, announced on 24 February that a digital intrusion in their system led to the leak of 8,000 patients’ personal information.
The breach allowed a hacker to access and email Rivas’s employee database. Of the 600 emails sent by the hacker, half successfully arrived in recipients’ inboxes. The email contained a link that led recipients to a mock Rivas website, which requested their login details (i.e., username and password).
This method of using emails to illegally obtain sensitive information is called phishing. In the case of the Rivas phishing incident, it took just one person to fall for the scheme and expose a mailbox containing sensitive data of about 8,000 pediatric patients. The information included the children’s social security numbers and medical appointment information, but did not include medical records. To notify parents of the impacted patients, Rivas sent them a letter containing details of the breach.
When the European Union’s new General Data Protection Regulation (GDPR) goes into effect on 25 May 2018, organizations will have to comply with a new set of guidelines to prepare for and mitigate the risks of potential data leaks.
What will Rivas need to do to prepare for the GDPR and avoid paying heavy fines in the event of a data leak? Below, we examine four key areas on which the healthcare provider should focus:
1. Data breach notification requirements
If Rivas had been hacked after the GDPR went into effect, they would have been required to report the data leak to the National Data Protection Authority and to all affected individuals (i.e., parents of affected pediatric patients), within 72 hours of the incident. Additionally, Rivas would have been required to provide affected individuals with specifics concerning the nature of their compromised information and the contact details of the organization’s Data Protection Officer, who would inform them of next steps.
2. The role of the Data Protection Officer (DPO)
After the GDPR is implemented, the DPO will be responsible for ensuring organizations proactively mitigate the risk of cyber-attacks, obtain consent from individuals to store their personal information and certify those individuals understand exactly which details will be stored. In the event of a data breach, the DPO will be required to conduct an impact analysis of all affected systems that contain or carry personal data, answering questions such as:
- Where do we store personal information?
- What information do we store?
- Should we store this information in that location?
- Are we in control of data retention dates and encryption?
Additionally, the DPO will have to explain the potential consequences to those whose information has been impacted and outline next steps for mitigating those consequences. In the case of Rivas’s data breach, the hospital’s DPO would need to explain to the parents of impacted patients how the leak of their children’s data (e.g., name, date of birth, social security number, appointments, etc.) could potentially be used for identity theft and what actions they could take to protect themselves.
3. Storage and management of children’s personal data
If it would have occurred after the GDPR was implemented, the consequences of Rivas’s data leak would have been more severe because the regulation considers children to be a high-risk, vulnerable group that is more susceptible to be impacted by identity theft. The new regulation merits children-specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Any information and communication, where processing is addressed to a child, should be in such clear and plain language that the child can easily understand.
A concerning aspect of this case, and good example of the broad impact of the GDPR, is how Rivas decided to store the personal data of its patients. Most company and employee email boxes contain personal information of colleagues, customers and third parties. Before the GDPR goes into effect, it will be important for companies to better control how and where personal information will be stored and secured.
4. Obtaining explicit consent
The GDPR’s guidelines specific to protecting children implies companies must obtain mandatory, explicit consent to store and use children’s personal information from legally responsible parents or guardians (except in the context of preventive or counselling services). Article 13 of the GDPR describes what information needs to be provided to the individual when Rivas wants to store personal information.
Preparing your organization for GDPR
The first step toward preparing your organization for the GDPR is to define where and how your organization processes and stores individuals’ personal data. This may require you to assess repositories, archives or systems that contain digital or paper records.
In Rivas’s case, it may be difficult for the healthcare provider to pinpoint all locations where it stores personal information. One of the only viable solutions for organizations dealing with such a large volume of personal information is a software tool, such as eDiscovery. The eDiscovery tool has automated capabilities to scan Rivas’s systems and pinpoint locations that contain personal information and require action.
AMPLEXOR can not only help your organization define and categorize its methods of processing and storing personal information, but also prevent and / or minimize the impacts of potential data breaches with our dedicated, secure software tools, including eDiscovery. We can implement a case-management system designed specifically for your company to keep record of cyber-attacks on personal information, securely store all communication interactions and maintain documents that must be submitted to the Data Protection Authority in the event of a data breach.