Inquiry into Centric Health Ltd. (“Centric”) - February 2023

(IN-21-2-4)

Date of Decision: 23 February 2023

The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a result of this, 70,000 data subjects were affected by of access to, unauthorised alteration of, and loss of availability of their personal and special category data. Of these, 2,500 patients were permanently affected as their data was deleted with no backup available.

The decision considered whether Centric had complied with Articles 5(1)(f), 5(2) and 32(1) GDPR and, in particular, whether Centric had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.

The decision found that Centric had infringed its obligations under Articles 5(1), 5(2) and 32(1) GDPR and that the processing by Centric within its Patient Administration System failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The corrective powers exercised:

• The decision issued Centric with a reprimand in respect of the infringements.
• The decision imposed an administrative fine on Centric in the amount of €275,000 in respect of the infringement of Article 5(1)(f) GDPR.
• The decision imposed an administrative fine on Centric in the amount of €50,000 in respect of the infringement of Article 5(2) GDPR.
• The decision imposed an administrative fine on Centric in the amount of €135,000 in respect of the infringement of Article 32(1) GDPR.

For more information, you can download the full decision at this link: Inquiry into Centric Health Ltd. - February 2023 (PDF, 0.67mb).