Company fined for personal data breaches
The State Data Protection Inspectorate (hereinafter referred to as the SDPI) has imposed a fine of EUR 450,000 on UAB InMedica for breaches of personal data security.
The SDPI conducted two inspections of medical companies, which were later combined into a single inspection.
The SDPI, taking into account information available to the public in September 2024(Skirmantas Malinauskas’s episode “Nulaužta Lietuva” (”Lithuania Hacked”) dated 8 September 2024) regarding a personal data breach (hereinafter referred to as PDB), which states that a third party gained access to UAB Kardiolita (hereinafter referred to as Company 1) internal data management system, which contains the personal data of data subjects (the patient information system), conducted a GDPR compliance monitoring of Company 1. Following the monitoring, it was decided to launch an investigation on its own initiative, based on the suspicion that there may have been breach of the GDPR.
Another inspection was started on its own initiative after receiving a report regarding PDB from UAB InMedica (hereinafter referred to as Company 2). Company 2 suffered a data-encryption and ransom attack in which a third party encrypted data on four systems. These systems were used to process the personal data of patients and employees.
After conducting its initial inspection of Company 1, the SDPI established that an adequate level of personal data security was not ensured during the PDB, i.e. the PDB occurred because Company 1 did not sufficiently ensure access control and used improper authentication when logging into the system containing personal data (when employees logged in via an external network (the Internet), multi-factor authentication was not applied, access was not restricted to authorized persons only, and login passwords did not meet a certain level of complexity).
After conducting a second inspection of Company 2, the SDPI established that, during the PDB, the affected systems of Company 2 also failed to ensure an adequate level of personal data security. Company 2 did not adequately ensure access control and authentication, i.e. multi-factor authentication was not applied when privileged users logged in via an external network (the Internet), and access was not restricted to authorized persons only.
Since UAB InMedica has been the successor to the rights and obligations of UAB Kardiolita as of 25 June 2025, the fine was imposed on UAB InMedica. The administrative fine was imposed for violations of the provisions of Article 24(1), Article 32(1)(b), and Article 5(1)(f) of the GDPR.
The decision may be appealed in court within one month from the date of notification.