Polish Municipal Welfare Unit Fined for Unreported Health Data Breach Exposed via Public Server
A municipal social welfare unit in Poland failed to implement adequate technical and organizational measures to protect sensitive health and quarantine data, which was inadvertently exposed on a public server and indexed by search engines. Compounding the violation, the organization failed to report the breach to the supervisory authority within the mandatory 72-hour window after discovering it in February 2021 — more than two months after the November 2020 exposure. The case also highlights a governance failure, as the unit initially denied being the data controller, suggesting a lack of clarity around data ownership and accountability. These combined failures — poor security hygiene, delayed breach notification, and unclear data controller responsibilities — represent a systemic breakdown in GDPR compliance that resulted in three separate fines.
Tactical Insight
Immediate actions
- Audit all public-facing servers and storage assets to ensure no sensitive personal data is inadvertently exposed or indexable by search engines.
- Establish a documented breach notification procedure that enforces the 72-hour GDPR reporting obligation with assigned owners and escalation paths.
- Clearly document and assign data controller responsibilities across all organizational units handling personal data.
Long-term improvements
- Implement Data Protection Impact Assessments (DPIAs) for any system processing special category data such as health information.
- Conduct regular staff training on GDPR obligations, including breach identification, reporting timelines, and data controller accountability.
- Enforce a data minimization and classification policy to ensure sensitive data is stored only in appropriately secured, access-controlled environments.
Detection measures
- Deploy web crawling and external exposure monitoring tools to detect publicly indexed sensitive data proactively.
- Implement logging and alerting on access to repositories containing special category personal data to detect unauthorized or anomalous access early.