The APDCAT opens information file for the cyberattack on the Clinical Hospital and its related entities

The director of the Catalan Data Protection Authority (APDCAT), Meritxell Borràs, reported today in the Parliament that the Authority has opened an information file for the cyberattack on the Hospital Clínic and related entities, which led to the leak of thousands of data of users of the health service. In this sense, Borràs has assured that the APDCAT works to determine if these entities had previously implemented the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk involved in this data processing, taking into account its volume and category, given that especially sensitive data protected by the standard are included.

During his appearance before the Committee on Institutional Affairs of the Parliament of Catalonia to present the report of activities of the Authority of 2022, Borràs explained that the technical teams of the APDCAT work to analyze all the information, and determine whether or not to open a sanctioning file for breach of the standard. However, he recalled that the hospital informed the APDCAT of the security breach within the period provided by the regulations and acted diligently upon learning of the incident. Also that it is implementing new measures to strengthen the security of the systems.

Facial recognition as an alternative

During her speech, the director also warned that more and more organizations are detected that consider facial recognition systems for the exercise of their ordinary activity, without proposing any possible alternative. Borràs recalled that these systems treat biometric data, which are specially protected by the standard, and that they can only be applied in specific cases specifically provided for in the law.

Borràs has called for the involvement and collaboration of organizations and society to limit the use of these systems, which present significant risks to the rights and freedoms of citizens, such as individual freedom or the right not to be discriminated against. He also spoke of the risks derived from an incorrect design of these systems, such as discrimination, bias in identification, or lack of reliability in the results. Borràs has asked to offer in any case an alternative, so that facial recognition is not the only possible option to access a certain product or service.

Presentation of the report

The appearance has also served to present to the Parliament of Catalonia the 2022 report, as well as the most relevant actions carried out by the Authority. In this sense, Borràs has highlighted that on the twentieth anniversary of its creation, the Authority is a consolidated organization capable of responding to the needs of the citizens of Catalonia, both there and its competences allow. 

In this context, the director highlighted the definition of the new Strategic Plan 2023-2028, which has made it possible to identify the strategic lines of the present and future, and establish priorities with an emphasis on awareness, accompaniment and control, with training and awareness as highlights.

Borràs has also highlighted the increase in information security breaches registered in Catalan and private public organizations that exercise public functions. In this sense, the APDCAT has received 21% more notifications of security breaches (NVS), more than a third of them as a result of cyberattacks. NVS affected the confidentiality and data integrity or availability of more than 800,000 people. For Borràs, these data show that it is necessary more than ever to comply with the obligations set out in the General Data Protection Regulation and apply the appropriate security measures to the risk, taking into account the type of data processed, the volume, the technologies used, etc. The director has assured that cybercrime is here to stay, and that we must be aware of the importance of adequately protecting the personal data that is processed, because exposure to an attack is real and can have significant repercussions on people.

During his speech, Borràs also highlighted the 54% increase in disciplinary proceedings initiated in 2022, and stressed that the largest number of infringements declared is related, as in previous years, to the violation of the principle of confidentiality, followed by the infringement of the principle of legality.