Abstract
Every natural person has the fundamental right of protection in relation to the processing of their personal data. The General Data Protection Regulation (GDPR) is the legal basis for data protection in the European Union. One aspect of the GDPR is that violations of this regulation can lead to significant fines. To ensure data protection, controllers have to analyse and mitigate the risks to the rights and freedoms of data subjects. Many different stakeholders and organisations with or without malicious intentions can pose a risk in this sense. Overall, it is important to know who the attackers actually are and understand the context of potential violations. To this end we analyse data protection violations in the health care sector between July 2018 and March 2023 based on fines imposed under GDPR to identify stakeholders who pose a risk to the data subjects as well as their motives. Surprisingly, it appears that the controller is by far the most frequent perpetrator of a data protection violation while their motives are often just negligence. Insiders like employees often cause a personal data breach accidentally. Measures to enhance competence and awareness are of major importance to foster the compliance with data protection regulations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
AlEroud, A., Masalha, F., Saifan, A.A.: Identifying GDPR privacy violations using an augmented LSTM: toward an AI-based violation alert systems. In: 2021 IEEE International Conference on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom), pp. 1617–1624 (2021). https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00216
Capodieci, A., Mainetti, L.: Business process awareness to support GDPR compliance. In: Proceedings of the 9th International Conference on Information Systems and Technologies, pp. 1–6 (2019)
CMS Law.Tax: GDPR Enforcement Tracker. https://www.enforcementtracker.com/. Accessed 03 July 2023
Dayarathna, R.: Taxonomy for information privacy metrics. J. Int’l. Com. L. Tech. 6, 194 (2011)
Fan, M., et al.: An empirical evaluation of GDPR compliance violations in Android mHealth apps. In: 2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE), pp. 253–264 (2020). https://doi.org/10.1109/ISSRE5003.2020.00032
Martin, N., Friedewald, M., Schiering, I., Mester, B.A., Hallinan, D., Jensen, M.: The Data Protection Impact Assessment According to Article 35 GDPR. Fraunhofer Verlag (2020). https://doi.org/10.24406/publica-fhg-300244
Mulder, T.: Health apps, their privacy policies and the GDPR. Eur. J. Law Technol. 10(1) (2019). https://www.ejlt.org/index.php/ejlt/article/view/667
Presthus, W., Sønslien, K.F.: An analysis of violations and sanctions following the GDPR. Int. J. Inf. Syst. Proj. Manag. 9(1), 38–53 (2021)
Saemann, M., Theis, D., Urban, T., Degeling, M.: Investigating GDPR fines in the light of data flows. In: Proceedings on Privacy Enhancing Technologies, vol. 2022, no. 4, pp. 314–331 (2022)
Sirur, S., Nurse, J.R., Webb, H.: Are we there yet? Understanding the challenges faced in complying with the general data protection regulation (GDPR). In: Proceedings of the 2nd International Workshop on Multimedia Privacy and Security, MPS 2018, pp. 88-95. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3267357.3267368
Wolff, J., Atallah, N.: Early GDPR penalties: analysis of implementation and fines through May 2020. J. Inf. Policy 11, 63–103 (2021). https://doi.org/10.5325/jinfopoli.11.2021.0063
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Schmidt, R., Schiering, I. (2024). Who Is the Attacker - Analyzing Data Protection Violations in Health Care. In: Bieker, F., de Conca, S., Gruschka, N., Jensen, M., Schiering, I. (eds) Privacy and Identity Management. Sharing in a Digital World. Privacy and Identity 2023. IFIP Advances in Information and Communication Technology, vol 695. Springer, Cham. https://doi.org/10.1007/978-3-031-57978-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-57978-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57977-6
Online ISBN: 978-3-031-57978-3
eBook Packages: Computer ScienceComputer Science (R0)