The bank of Cyprus oncology centre on Thursday reported a serious breach of personal data, raising concerns about the security of sensitive patient and employee information. 

The centre has filed a complaint with the police, while also notifying the personal data protection commissioner and the digital security authority.

“So far, it has been confirmed that the malicious elements behind the malicious attack have unfortunately gained access to personal patient data as well as employee data, for which they are threatening to further disclose it in the media and on social media,” the centre said. 

The centre said it is working intensively with teams of cybersecurity engineers and consultants to address the situation.

Efthymios Diplaros, chairman of the House health committee, told the Cyprus Mail that such breaches can have a direct impact on patients.

“When personal data of patients is made public, it directly affects their private lives, as well as information they would not want to be disclosed,” he said.

He called for urgent action. 

“We are asking, and I can say this as a development, for immediate intervention from the cybercrime unit and measures to ensure that patients’ personal data does not appear online,” Diplaros added.

He also stressed the role of hospital authorities. 

“We consider that the management of the oncology centre should review its cybersecurity measures. Beyond that, they should already be asked what steps they will take in light of this incident,” he said.

The police outlined the legal framework for handling patient information. 

“Processing of personal data is lawful only if it is necessary to comply with a legal obligation, protect the vital interests of the data subject, or for the performance of a task carried out in the public interest,” they said.

They added that special categories of data, such as health information, “may only be processed when strictly necessary and with safeguards for the rights and freedoms of individuals.”

In the event of a data breach, the police follow a notification procedure.

“The law requires reporting to the personal data protection commissioner. In some cases, affected individuals are also informed,” the police clarified.

They added that in such circumstances, the police can appoint a data protection officer to ensure compliance. 

The case is being handled by the centre’s management in full coordination with state authorities, while additional measures have been implemented to enhance system security, the centre said.

It added that the oncology centre is committed to addressing the situation and protecting the personal data of its patients and employees, while its operations continue normally.