Outcomes - Selected Case Summaries



Pharmacy suffers ransomware attack

Informal Resolution | 02 December 2021

In October 2019 a pharmacy discovered a data breach that had been ongoing for three months. The breach involved sensitive personal data of some 242 individuals whose emails to the pharmacy, many of which contained sensitive personal data, had been diverted to an external email address.

The data controller and its IT service provider took immediate action and implemented a number of technical and organizational measures to mitigate the issue and prevent it from re-occurring. The Ombudsman and the data subjects were notified, as required under the DPA.

The Ombudsman conducted an extensive investigation, focused on the technical and organizational measures that were in place at the time of the breach, as well as any mitigation that took place after the incident. Despite the severity of the breach, the Ombudsman decided not to impose a financial penalty because of the timing of the breach (which started well before the commencement of the DPA) and the thoroughness and timeliness of the data controller’s response.