On 24 November 2022, the Romanian DPA announced it sanctioned a medical services provider with a EUR 1,000 fine for failing to implement adequate technical and organizational measures in order to ensure compliance measures to ensure a level of security appropriate to the risk of the processing.
The investigation was launched following the receipt of a data breach notification submitted by the controller.
During the investigation, the Romanian DPA found that the data breach occurred by sending to a client an e-mail containing additional agreements to healthcare service agreements belonging to other clients of the controller.
Consequently, the incident led to the loss of confidentiality of the processed data through unauthorized disclosure and unauthorized access to certain personal data, such as: name and surname, personal numerical code, address and signature.
The press release is available here (only in Romanian).
