Irish Data Protection Commission Case Studies

 

Our Office received a notification from a Medical Practitioner that their computer system had been compromised by Ransomware.

 

Ransomware is a malicious file which is designed to extort money from a user by disabling their computer or encrypting files stored on the computer. The user is then informed that they must pay to have the files restored. There is a risk that after paying the “ransom”, the user will not regain control of their system.

 

The data controller notified the Office that they were unable to access their computer system, due to the Ransomware that had been installed on their systems. This meant that they were unable to access their patient files. They also advised the Office that they had received a demand for €5,000 in return for the re-instatement of the data. The data controller stated that they had informed An Garda Síochána and had not paid the ransom.

 

The data controller, on discovering the issue, alerted their IT service provider. After an initial investigation, a third party IT service provider was also employed to help recover the data. During this process, the data controller discovered that backup data for the previous five months had also been compromised. The data controller had therefore lost all patient data obtained in the previous five months.

 

Our Office contacted the data controller and asked that we speak directly to the IT service provider to determine how the backup tapes going back over a period of five months had been compromised. The IT service provider informed us that there were two separate backup facilities in place. Firstly, there was an on-site hard drive device that was written to each night. Secondly, there was a system of backup tapes in place, which were then stored off-site.

 

The on-site hard drive had been affected by the Ransomware software. However, it was discovered that the backup media tape system had not actually been recording, but there were no alerts issued by the backup software to identify an issue.

We sought assurance from the IT service provider that the data had not been exported by the Ransomware. The IT service provider stated it had found no evidence to suggest that the data had been taken from the data controller. 

 

It was noted that the data controller had a basic firewall in place and an up-to-date anti virus system. The data controller had also set aside a budget for an upgrade to their computer systems to take place later in the year.

 

The data controller informed this Office that it was preparing to notify all its patients. We recommended that the notification be directed to those individuals for whom records had been compromised. Any patients who had not attended the practice since the last viable backup tape was created were not affected by the security breach as their records were not compromised.

It was clear that the data controller had installed systems to protect the data under its control and was planning on upgrading the systems. However, it is imperative that, when systems are implemented, they are checked on a regular basis to ensure they are operating correctly.