We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
19 August 2020
What is a data breach?
What is a breach of confidentiality?
What is a breach of integrity?
What is a breach of availability?
How are companies affected by data breaches?
What are companies' obligations under the GDPR?
When must companies notify supervisory authorities?
When must companies communicate breaches to data subjects?
When must companies document breaches?
What are the consequences of non-compliance?
The use of connected medical devices (eg, device systems in hospitals monitoring patients' vital functions, software and related systems providing telemedical services and the eHealth and mHealth services and applications available on the market) has changed the way the healthcare sector works. Connected healthcare provides for various benefits for different players, whether patients, hospitals or research companies:
However, these benefits based on the advance of connected healthcare come with an increased flow of personal data, whether in hospitals or between different market players in the healthcare industry. This again has led to an increased risk of cybersecurity incidents and personal data breaches.
Thus, it did not come as a surprise that the Allianz Risk Barometer 2020 ranked cybersecurity incidents as the most important business risk globally for the first time ever. Cybersecurity is becoming more and more relevant in the healthcare sector and healthcare companies are becoming aware of this threat. Cybersecurity in the healthcare sector can affect various aspects such as network security, device security, messaging security, web security, data security and identity and access management.
Article 4(12) of the EU General Data Protection Regulation (GDPR) defines a 'data breach' as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Accordingly, a personal data breach can be a breach of confidentiality, integrity or availability.
A breach of confidentiality is a security incident in the form of an unauthorised or accidental disclosure of, or access to, personal data.
An example may be a health app for measuring diabetes being manipulated in a way that records are sent to servers in the United States without the data subject's consent or authorisation.
A breach of integrity is a security incident in the form of an unauthorised or accidental alteration of personal data. For example, if access codes and infusion pump manuals are made publicly available online by manufacturers and are not modified by hospitals, hackers could gain control of the infusion pumps and alter the injection rates for patients without the knowledge or authorisation of medical personnel, endangering the patients' lives.
A breach of availability is a security incident in which personal data is lost or destroyed.
For example, an unknown computer virus shuts down a hospital's entire network, leaving no possibility of electronic communication and no access to electronic documents and information. As a result, patients have to be moved to other hospitals and new patients cannot be taken in.
Cyberattacks and personal data breaches are on the rise and healthcare companies are usually one of the biggest targets for attackers. This is mainly for two reasons: patients´ personal data is highly valuable to attackers and medical devices are an easy entry point.
Where a personal data breach occurs, companies may have the following obligations:
Article 33(1) of the GDPR provides that, "in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority". This does not apply where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification must include:
In certain cases, companies must notify the supervisory authority and communicate the breach to the affected individuals.
Article 34(1) of the GDPR states that "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay". The threshold for communicating a breach to individuals is therefore higher than that for notifying supervisory authorities.
In such cases, the company should at least provide the following information to the individual:
In all cases, companies must keep documentation of data breaches (eg, by maintaining a data breach register).
Article 33(5) of the GDPR explains that "the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken".
If companies fail to meet the above obligations, they risk receiving significant administrative fines and potential claims for compensation. According to Article 83 of the GDPR, the maximum fine for violating the GDPR is up to €20 million or 4% of the total worldwide turnover of the preceding financial year – whichever is greater. Further, affected individuals may claim compensation for damages suffered and companies may suffer reputational damage (eg, negative media coverage).
For further information on this topic please contact Constantin Herfurth or Magdalena Kotyrba at Eversheds Sutherland (Germany) LLP by telephone (+49 89 54565 295) or email (email@example.com or firstname.lastname@example.org). The Eversheds Sutherland (Germany) LLP website can be accessed at www.eversheds-sutherland.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.