Back to Feed
GDPRJul 7, 2026

VDAI (Lithuania) - 3R-1143

Lithuanian DPA fines medical company €450K for inadequate security measures enabling patient data breach.

Summary

Lithuania's State Data Protection Inspectorate (VDAI) imposed a €450,000 fine on medical company UAB InMedica for failing to implement appropriate technical and organizational security measures, resulting in unauthorized third-party access to patient health data. The violation affected up to 383,000 data subjects across two breaches and involved non-compliance with GDPR Articles 5(1)(f), 24(1), and 32(1)(b), specifically inadequate access controls, weak password policies, and lack of multi-factor authentication.

Full text

Help VDAI (Lithuania) - 3R-1143: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:14, 7 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators60 edits Tag: submission [1.0] (No difference) Latest revision as of 13:14, 7 July 2026 VDAI - 3R-1143 [[File:|center|250px]] Authority: VDAI (Lithuania) Jurisdiction: Lithuania Relevant Law: Article 5(1)(f) GDPR Article 24(1) GDPR Type: Investigation Outcome: Violation Found Started: 08.09.2024 Decided: 19.06.2026 Published: 29.06.2026 Fine: 450,000 EUR Parties: n/a National Case Number/Name: 3R-1143 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Lithuanian Original Source: VDAI (in LT) Initial Contributor: av The DPA fined a medical company EUR 450,000 – a third party had gained access to the health data of patients due to a failure to implement appropriate technical and organisational measures and non-compliance with the principles of integrity and confidentiality. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Two medical companies (the controllers) had fallen victim to data breaches where a third party had gained access to their internal systems containing both health data and other personal data of patients (the data subjects). The first breach potentially concerned 63 data subjects, whereas the latter breach affected approximately 10,000 employees and 383,000 data subjects. The DPA initiated two separate investigations against the controllers in September 2024 and November 2025 respectively and later combined the cases. Holding The DPA imposed a fine of EUR 450,000 on the legal successor of one of the controllers. It held that the controllers had failed to implement appropriate technical and organisational measures to ensure the security of processing and compliance with the principles of integrity and confidentiality. The controller had violated Articles 5(1)(f), 24(1), and 32(1)(b) GDPR. When assessing the GDPR infringements, the DPA took into account that the controllers processed sensitive categories of personal data. The DPA held the controllers lacked adequate security measures for protecting against unauthorised access to an IT system, such as access control and authentication. For instance, passwords used by employees did not reach a certain level of complexity, and multi-factor authentication was not used. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details. Extract of an electronic document STATE DATA PROTECTION INSPECTORATE DECISION June 19, 2026 No. 3R-1143 (2.13-1 E) Vilnius The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) in the oral procedure at the meeting held on 2 June 2026 [DATA NOT PUBLISHED] examined the case regarding the imposition of an administrative fine on UAB InMedica (hereinafter referred to as the Company or Clinic), legal entity code 300011170. Circumstances for initiating inspections by the Inspectorate The Inspectorate, taking into account the September 2024. publicly available information1 about a personal data breach (hereinafter referred to as ADSP 1), which indicates that a third party has accessed the internal data management system of UAB “Kardiolita” (hereinafter referred to as Company 1), which displays the personal data of data subjects, and in accordance with Subsection 5.1 of the Rules for Monitoring by the State Data Protection Inspectorate2 and Subsection 1a of Article 57 of the GDPR3, has monitored the application of the GDPR in relation to Company 1. Taking into account the information obtained during the monitoring and in accordance with Subsections 1 and 2 of Article 20 of the ADTAĮ4, Subsections 4.4 and 16.1 of the Rules for Conducting Investigations and (or) Inspections by the State Data Protection Inspectorate5 (hereinafter referred to as the Rules), Order No. of the Director of the State Data Protection Inspectorate of 24-01-2025 1T-16 (1.12.E) “On the inspection of UAB “Kardiolita” at the initiative of the State Data Protection Inspectorate” decided to initiate an inspection on its own initiative regarding a possible violation of the provisions of the GDPR in respect of Company 1 (hereinafter referred to as Inspection 1). The Inspectorate, having received the notification submitted by the Company on a personal data security violation (hereinafter referred to as ADSP 2) (received by the Inspectorate on 2025-11-03, reg. No. 1R-7533 (2.23 Mr)) (hereinafter referred to as Notification 2) on 31 October 2025 and in accordance with Article 20, Parts 1 and 2 of the ADTAĮ, Subparagraphs 4.2, 4.4 and 16.1 of the Rules, Order No. 1T-81 (1.12 E) of the Director of the State Data Protection Inspectorate of 2025-11-03 “On the inspection of UAB InMedica at the initiative of the State Data Protection Inspectorate”, initiated an investigation into a possible violation of the provisions of the GDPR in relation to the Company (hereinafter referred to as Inspection 2). 1. Legal regulation6 1 https://www.youtube.com/watch?v=uqRnL6iNYq8 2 Rules for conducting monitoring by the State Data Protection Inspectorate, approved by the Order of the Director of the State Data Protection Inspectorate of 8 November 2023 No. 1T-91 (1.12.E.) “On the approval of the rules for conducting monitoring by the State Data Protection Inspectorate” 3 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR) 4 of the Law of the Republic of Lithuania on the Legal Protection of Personal Data (hereinafter referred to as the LPD) 5 of the Rules for conducting investigations and/or inspections carried out by the State Data Protection Inspectorate, approved by Order No. 17 of the Director of the State Data Protection Inspectorate of 17 July 2019 1T-92 (1.12.E) “On the approval of the rules for conducting investigations and (or) inspections carried out by the State Data Protection Inspectorate” 6 Analogous legal regulation applies to both Inspection 1 and Inspection 2 2 In Article 4(1)(15) of the GDPR, health data is defined as personal data relating to the physical or mental health of a natural person, including data on the provision of health care services, revealing information about the health status of that natural person. The processing of personal data is considered lawful if it is based on at least one of the conditions for lawful processing of personal data set out in Article 6(1) of the GDPR and complies with at least one of the exceptions provided for in Article 9(2) of the GDPR (when processing special categories of personal data) and complies with the principles relating to the processing of personal data set out in Article 5 of the GDPR. According to Article 5(2) GDPR, the controller is responsible for compliance with Article 5(1) GDPR and must be able to demonstrate compliance (accountability principle). Article 5(1)(f) GDPR provides that personal data shall be processed in such a way that appropriate technical or organisational measures ensure adequate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (principle of integrity and confidentiality). The principles of integrity and confidentiality are inextricably linked to the obligations of the controller to implement appropriate technical and organisational measures to ensure the security of the personal

Entities

VDAI (State Data Protection Inspectorate) (vendor)UAB InMedica (product)UAB Kardiolita (product)