The personal data protection commission has confirmed on Friday it is investigating a serious breach at the Bank of Cyprus oncology centre.
The authority said it was informed by the centre in line with obligations under the general data protection regulation and national law, with the latter later having filed a complaint with the police and informed the digital security authority.
The centre said that malicious actors accessed patient and employee data and are threatening to publish it on social media, emphasising that it is working intensively with cybersecurity engineers and external consultants to secure its systems and limit further exposure.
Meanwhile, the personal data protection commission requested detailed information from the centre and opened an investigation into the nature of the breach and what specific data was stolen.
It is examining the organisation’s security measures and whether additional safeguards should have been in place.
The incident has prompted concern in parliament, with house health committee chairman Efthymios Diplaros warning that breaches involving medical data can have damaging impact on patients’ private lives.
He called for immediate intervention from the cybercrime branch and stronger measures to prevent the publication of sensitive personal information.
Police outlined the legal framework surrounding the handling of patient data, stressing that health information may only be processed when strictly necessary and with safeguards to protect individuals’ rights.
They said data breaches must be reported to the personal data protection commissioner, and in some cases affected individuals are informed.
The oncology centre said its operations continue as normal and that it is cooperating fully with state authorities while additional security measures are implemented.
The personal data protection authority said its investigation is ongoing ensure organisations managing sensitive information uphold strong data protection standards.
