Back to all lessons
Awareness Lessons
3 days ago

Polish Municipal Welfare Unit Fined for Unreported Health Data Breach Exposed via Public Server

A municipal social welfare unit in Poland failed to implement adequate technical and organizational measures to protect sensitive health and quarantine data, which was inadvertently exposed on a public server and indexed by search engines. Compounding the violation, the organization failed to report the breach to the supervisory authority within the mandatory 72-hour window after discovering it in February 2021 — more than two months after the November 2020 exposure. The case also highlights a governance failure, as the unit initially denied being the data controller, suggesting a lack of clarity around data ownership and accountability. These combined failures — poor security hygiene, delayed breach notification, and unclear data controller responsibilities — represent a systemic breakdown in GDPR compliance that resulted in three separate fines.

Tactical Insight

Immediate actions

  • Audit all public-facing servers and storage assets to ensure no sensitive personal data is inadvertently exposed or indexable by search engines.
  • Establish a documented breach notification procedure that enforces the 72-hour GDPR reporting obligation with assigned owners and escalation paths.
  • Clearly document and assign data controller responsibilities across all organizational units handling personal data.

Long-term improvements

  • Implement Data Protection Impact Assessments (DPIAs) for any system processing special category data such as health information.
  • Conduct regular staff training on GDPR obligations, including breach identification, reporting timelines, and data controller accountability.
  • Enforce a data minimization and classification policy to ensure sensitive data is stored only in appropriately secured, access-controlled environments.

Detection measures

  • Deploy web crawling and external exposure monitoring tools to detect publicly indexed sensitive data proactively.
  • Implement logging and alerting on access to repositories containing special category personal data to detect unauthorized or anomalous access early.