No damages claims have been brought against Estonia's biggest hospitals after a leak of personal and health data from Tartu-based genetic testing company Asper Biogene. Approximately, 10,000 people are affected.
Asper Biogene provided some testing services for healthcare providers, including Tartu University Clinic (TÜK), the North Estonia Medical Center (PERH), and East Tallinn Central Hospital (ITK).
Hospitals have alerted those affected and said people should pay close attention to their emails, not click any links, and check if they are from their doctor or medical service.
Yesterday, the police said victims should also be aware of possible ransom threats. If these are received, they should be reported to the authorities.
PERH recommends contacting the hospital if the theft has caused any damage.
Administrative director Aivi Karu told ERR every person whose rights have been violated has the right to request fair compensation under Estonian law.
"The impact will be different for each individual, and therefore any potential damages will have to be addressed individually," Karu said.
While no claims have been submitted so far, it is not ruled out some could be in the future.
TÜK data protection specialist Priit Piiri also confirmed the hospital had not been contacted about damages. She said all claims are based on individual circumstances as are the decisions to pay out compensation.
Inge Suder, head of ITK's communication and marketing department, said the center follows similar rules. "We have not currently received any claims," she said.
The Data Protection Inspectorate said test results, names, and personal identification numbers were among the stolen data. The timeframe spans 2009-2023.
Leak may become Estonia's first landmark data protection case
Technology and data protection lawyer Risto Hübner said Asper Biogene's customers are also responsible for the data leak. The case could be Estonia's first big data protection case and has the potential for several lawsuits and damages claims.
"The leaked files contained extremely sensitive data, the disclosure of which could seriously harm people," said Hübner. "Under the law, healthcare providers are liable for the entire supply chain, including the healthcare institutions whose patients' data was leaked by Asper Biogene."
The Data Protection Inspectorate said the leak concerns 42 healthcare institutions that use the company's services.
"There is no precedent for such a large data leak in Estonia, but it is very likely that the Data Protection Inspectorate will also have to initiate supervisory proceedings against Asper Biogene's customers," Hübner said. "It needs to be clarified whether Asper Biogene's clients whose patient data have been leaked have taken all necessary measures as data controllers to protect the data."
The lawyer said under the EU's General Data Protection Regulation (GDPR) institutions such as hospitals must be able to prove they have implemented the necessary technical and organizational measures to protect their data.
"For example, it is difficult to see the transfer of personal data in unencrypted form as an adequate measure, which means that hospitals are likely to become co-responsible," said Hübner.
He added, on Thursday, the Court of the European Union found a person's fear of the possible misuse of their leaked data can be grounds for claiming damages.
Editor: Helen Wright