At the end of July 2020, the National Cybersecurity Division (DNC) received an alert about a vulnerability of the public health system of the Province of San Juan, Argentina. This provincial health system is “Andes Salud”. News were that the security incident was a potential data leak of COVID-19-infected patients registered in the Ministry's database.
Based on this information, the Argentine Data Protection Authority required the Ministry to prepare and file a report on the breach as well as on certain aspects relating to its responsibility, and to inform what measures were adopted as a result of it.
In turn, the Ministry explained that, before the incident, the database was only accessible from its local network. However, as of April 2020, the database went online to facilitate remote work and has been unprotected ever since.
The Ministry further acknowledged that at the time of the incident the number of records of citizens of the Province of San Juan that were in the database was 115,282 and the personal data contained in the Andes Salud system database included full name, ID number, TAX ID number, gender, date of birth, photograph, telephone number and email address. According to the Ministry, the database did not contain data on patients infected with COVID-19.
In that connection, Argentine Data Protection Authority concluded that the Ministry had failed to diligently ensure the security and confidentiality of the data, thus breaching sections 9 and 10 of the Argentine Data Protection Law No. 25,326.
It concluded that by “having local databases, programs or equipment containing personal data without the proper security conditions mandated by the regulation,” the Ministry had committed a serious offense under point 2, subsection k) of Annex I of DNPDP Provision No. 7 of November 8, 2005 and amendments.
At the same time, by “violating the duty of confidentiality required by section 10 of Law No. 25,326 on personal data incorporated into records, files, banks or databases,” the Ministry additionally committed a serious breach under point 2, subsection j) of Annex I of DNPDP Provision No. 7/05 and amendments.
The regulator also highlighted that the Ministry failed to meet the recommended security measures for processing and storing personal data in computerized media, as per Resolution No. 47/2018.
When evaluating sanctions, the local DPA considered different aspects of the case. It evaluated the documents outlining the work of the Province of San Juan and, thus, found that the Ministry had promptly activated the protocols of its technical areas to solve the vulnerability and mitigate its effects. It also considered the province’s —and federal government’s— need to allocate the largest amount of its public funds to managing the economic and health crisis caused by the pandemic.
Therefore, because the Ministry has no prior offenses, the Argentine Data Protection Authority did not deem any monetary sanction to be justified and instead issued two warnings under Provision No. 7/2005 and amendments.
Finally, it held that, pursuant to Law No. 25,326, it has jurisdiction to oversee the transfer of data carried out between different provincial agencies interconnected to the Andes Salud database in general and, in particular, the transfer of data between these organizations, pursuant to section 44 of the aforementioned law.
Article provided by INPLP member: Diego Fernandez (Marval O’Farrell Mairal, Argentina)
Dr. Tobias Höllwarth (Managing Director INPLP)