VDAI (Lithuania) - 3R-1143
Lithuanian DPA fines medical company €450K for inadequate data security measures.
Summary
Lithuania's Data Protection Authority (VDAI) has fined a medical company €450,000 for failing to implement appropriate technical and organizational measures to ensure data security. The breaches, which affected sensitive health data and personal information of approximately 383,000 individuals, were attributed to inadequate access controls and weak password complexity, with no multi-factor authentication in place.
Full text
Help VDAI (Lithuania) - 3R-1143: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 07:28, 8 July 2026 view sourceAv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators66 editsTag: Visual edit← Older edit Latest revision as of 09:24, 8 July 2026 view source Av (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators66 editsTag: Visual edit (One intermediate revision by the same user not shown)Line 69: Line 69: === Holding ====== Holding === The DPA imposed a fine of €450,000 on the legal successor of one of the controllers. It held that the controllers had failed to implement appropriate technical and organisational measures to ensure the security of processing and compliance with the principles of integrity and confidentiality. The controller had violated Articles 5(1)(f), 24(1), and 32(1)(b) GDPR.The DPA imposed a fine of €450,000 on the first controller it investigated as this company was also the legal successor of the other controller. It held that the controllers had failed to implement appropriate technical and organisational measures to ensure the security of processing and compliance with the principles of integrity and confidentiality. The controller had violated Articles 5(1)(f), 24(1), and 32(1)(b) GDPR. When assessing the GDPR infringements, the DPA took into account that the controllers processed sensitive categories of personal data. The DPA held the controllers lacked adequate security measures for protecting against unauthorised access to an IT system, such as access control and authentication. For instance, passwords used by employees did not reach a certain level of complexity, and multi-factor authentication was not used.When assessing the GDPR infringements, the DPA took into account that the controllers processed sensitive categories of personal data. The DPA held the controllers lacked adequate security measures for protecting against unauthorised access to an IT system, such as access control and authentication. For instance, passwords used by employees did not reach a certain level of complexity, and multi-factor authentication was not used. Latest revision as of 09:24, 8 July 2026 VDAI - 3R-1143 [[File:|center|250px]] Authority: VDAI (Lithuania) Jurisdiction: Lithuania Relevant Law: Article 5(1)(f) GDPR Article 24(1) GDPR Type: Investigation Outcome: Violation Found Started: 08.09.2024 Decided: 19.06.2026 Published: 29.06.2026 Fine: 450,000 EUR Parties: n/a National Case Number/Name: 3R-1143 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Lithuanian Original Source: VDAI (in LT) Initial Contributor: av The DPA fined a medical company €450,000 after a third party had gained access to the health data of patients due to the controller’s failure to implement appropriate technical and organisational measures resulting in a violation of the principles of integrity and confidentiality. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Two medical companies (the controllers) had fallen victim to data breaches where a third party had gained access to their internal systems containing both health data and other personal data of patients (the data subjects). The first breach potentially concerned 63 data subjects, whereas the latter breach affected approximately 10,000 employees and 383,000 data subjects. The DPA initiated two separate investigations against the controllers in September 2024 and November 2025 respectively and later combined the cases. Holding The DPA imposed a fine of €450,000 on the first controller it investigated as this company was also the legal successor of the other controller. It held that the controllers had failed to implement appropriate technical and organisational measures to ensure the security of processing and compliance with the principles of integrity and confidentiality. The controller had violated Articles 5(1)(f), 24(1), and 32(1)(b) GDPR. When assessing the GDPR infringements, the DPA took into account that the controllers processed sensitive categories of personal data. The DPA held the controllers lacked adequate security measures for protecting against unauthorised access to an IT system, such as access control and authentication. For instance, passwords used by employees did not reach a certain level of complexity, and multi-factor authentication was not used. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details. Extract of an electronic document STATE DATA PROTECTION INSPECTORATE DECISION June 19, 2026 No. 3R-1143 (2.13-1 E) Vilnius The State Data Protection Inspectorate (hereinafter referred to as the Inspectorate) in the oral procedure at the meeting held on 2 June 2026 [DATA NOT PUBLISHED] examined the case regarding the imposition of an administrative fine on UAB InMedica (hereinafter referred to as the Company or Clinic), legal entity code 300011170. Circumstances for initiating inspections by the Inspectorate The Inspectorate, taking into account the September 2024. publicly available information1 about a personal data breach (hereinafter referred to as ADSP 1), which indicates that a third party has accessed the internal data management system of UAB “Kardiolita” (hereinafter referred to as Company 1), which displays the personal data of data subjects, and in accordance with Subsection 5.1 of the Rules for Monitoring by the State Data Protection Inspectorate2 and Subsection 1a of Article 57 of the GDPR3, has monitored the application of the GDPR in relation to Company 1. Taking into account the information obtained during the monitoring and in accordance with Subsections 1 and 2 of Article 20 of the ADTAĮ4, Subsections 4.4 and 16.1 of the Rules for Conducting Investigations and (or) Inspections by the State Data Protection Inspectorate5 (hereinafter referred to as the Rules), Order No. of the Director of the State Data Protection Inspectorate of 24-01-2025 1T-16 (1.12.E) “On the inspection of UAB “Kardiolita” at the initiative of the State Data Protection Inspectorate” decided to initiate an inspection on its own initiative regarding a possible violation of the provisions of the GDPR in respect of Company 1 (hereinafter referred to as Inspection 1). The Inspectorate, having received the notification submitted by the Company on a personal data security violation (hereinafter referred to as ADSP 2) (received by the Inspectorate on 2025-11-03, reg. No. 1R-7533 (2.23 Mr)) (hereinafter referred to as Notification 2) on 31 October 2025 and in accordance with Article 20, Parts 1 and 2 of the ADTAĮ, Subparagraphs 4.2, 4.4 and 16.1 of the Rules, Order No. 1T-81 (1.12 E) of the Director of the State Data Protection Inspectorate of 2025-11-03 “On the inspection of UAB InMedica at the initiative of the State Data Protection Inspectorate”, initiated an investigation into a possible violation of the provisions of the GDPR in relation to the Company (hereinafter referred to as Inspection 2). 1. Legal regulation6 1 https://www.youtube.com/watch?v=uqRnL6iNYq8 2 Rules for conducting monitoring by the State Data Protection Inspectorate, approved by the Order of the Director of the State Data Protection Inspectorate of 8 November 2023 No. 1T-91 (1.12.E.) “On the approval of the rules for conducting monitoring by the State Data Protection Inspectorate” 3 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred