HOSPITAL CYBER ATTACKS AND GDPR: WHAT CAN MY COMPANY LEARN?
In January this year Norway’s South-East Regional Health Authority admitted a data breach, and it was serious. The Authority is responsible for managing all hospitals in the southeast of Norway. It conceded that the medical records of 2.9 million Norwegians had been potentially exposed to cyber attack. Significantly it took the organisation seven days from the date it became aware of the attack to publicise the breach. This is considerably in excess of the GDPR requirements that:
Notification of a breach of data must occur within 72 hours of the organisation concerned becoming aware of it; and
Where the breach is going to adversely affect the rights of individuals they must be informed ‘without undue delay’