UODO investigates data leakage from telemedicine platform
The Personal Data Protection Office received a data breach notification from Telmedicin sp. z o.o., which is responsible for a telemedicine platform and remote consultations with physicians of various specialties. The case is currently being analyzed.
The controller received a notification from a third party about a security error in one of the subsystems responsible for handling voice calls. Due to a vulnerability in the system, an unauthorized person could have had unauthorized access to a user's phone number for a short period of time, and if the consultation included an audio recording - the possibility to download it.
The company immediately after obtaining this information fixed the error, blocking the operation of the subsystem, with no other consequences for the continuity of customer service. Moreover, the controller secured the data against unauthorized access.
The incident may result in loss of confidentiality of patients' personal data, which is protected by professional secrecy.
Personal data breach notification
The purpose of personal data breach notification is, among other things, for the supervisory authority to assess whether the controller has correctly complied with, for example, its obligation to communicate to the data subject a personal data breach, if indeed a situation has arisen in which it is obliged to do so.
In case of a personal data leakage, UODO cooperates with controllers, provides advice or consults on the content of a personal data breach communication to data subjects. The activities of the supervisory authority are aimed at ensuring that the controller processes personal data in accordance with the law.
What should I do if a breach of my personal data occurs?
First of all, you have to be very careful when providing your personal data via the Internet. You have to carefully analyze the messages received from the controller, e.g. contained in SMS, e-mails, to avoid e.g. phishing attacks which aim is to obtain additional data.
Hacking attacks, i.e. breaking security measures of IT systems where personal data is processed or exploiting existing vulnerabilities (gaps) in these systems - are situations where unauthorized persons gain (or are able to gain) possession of personal data. If the controller determines that there is a risk of unauthorized use of the data, which may result in a threat to the rights or freedoms of natural persons (e.g. so-called identity theft), the controller shall communicate the incident to the data subject.
Individuals who have a suspicion that they may have been a victim of identity theft should report it to the Police in the first place. The President of the Personal Data Protection Office is not a law enforcement authority and has no authority to conduct proceedings aiming at identifying the perpetrator of the crime and assessing whether the crime has been committed, qualifying the criminal act and imposing an appropriate penalty.