Madise said that it was questionable whether the data had been stored legally at all.

"Hospitals and doctors are allowed to keep patient health and analysis data. There is a clear purpose for this and it is written in plain and simple words in the law. How such data could have been in the hands of a private company in the first place, which is essentially a lab, well, that's the big question. And we have also looked at the test order forms and the material that is on this company's website. It is very questionable whether consent given in this way could be deemed sufficient," Madise said.

Hardi Tamm, CEO of Asper Biogene, said the data is kept legally by the company, and reports of previous tests were retained as national databases are not sufficient. The mistakes were made, he said, due to the company's insufficient data security systems.

"Of course there have been mistakes, there are no two ways about it. /.../ It's not just a healthcare issue, but maybe we in general have paid too little attention to the IT or security issues in our systems," said Tamm.

The Chancellor of Justice believes that in future it should be made clear who is allowed to keep the data. Checks should also be made to determine whether other sensitive data is being held by other private companies.

"The problem, whereby enforcement of the law is very weak in Estonia has long been known. And people are now quite rightly asking our authorities why an accident like this has been allowed to happen at all, where there has been oversight in the past. But unfortunately, the situation is such, that if there are a relatively high amount of officials in the ministries and their salaries are also quite high, then the supervisors are often under a very heavy burden. This however, should not be the case in the country," said Madise.

However, this is not the first time personal data has fallen into the wrong hands as a result of a cyberattack in Estonia.

"We remember in 2020 and 2021, when the Police and Border Guard Board (PPA) leaked 300,000 document photos as a result of an attack. In 2020, the Ministry of Justice leaked data belonging to thousands of people who had received legal advice, cases that have not been followed up with any sanctions from the Data Protection Inspectorate," said Maili Torma, a data protection expert.

The Data Protection Inspectorate says that it sees companies violating some of the data protection requirements every week. This year alone, there have been almost 200 notifications of data protection or GDPR breaches. Although most are minor errors that do not require any outside intervention, Estonian law does not currently enable the prosecution of those who misuse data.

"In a recent court ruling on the first data protection misdemeanor fine imposed on a company, East Tallinn Central Hospital, we lost in court, unfortunately. The reason being, the court found that Estonian law does not allow for that at the moment, an important gap is missing between our national procedures and the GDPR," explained Pille Lehis, director general of the Data Protection Inspectorate.

The PPA have previously been contacted by people who have received phone calls from scammers informing them of a supposed data leak and then asking further questions.

"The police would like to emphasize that currently, health service providers are not making telephone calls to people who have been the subject of a data leak, they are only sending e-mail notifications," said Rain Vosman, head of the PPA's Southern Prefectural Crime Bureau.

--

Follow ERR News on Facebook and Twitter and never miss an update!