Ministry of Health of the Province of San Juan Receives Sanction for Database Vulnerability

On July 28, 2020, the National Cybersecurity Division (DNC) received an alert about the vulnerability of the public health system of the Province of San Juan called “Andes Salud” involving a potential data leak of COVID-19-infected patients registered in the Ministry's database.

In response, the AAIP required the Ministry to issue a statement on the breach as well as on certain aspects relating to its responsibility for the breach and what measures were adopted as a result of it.

In it, the Ministry explained that, before the incident, the database was only accessible from its local network. However, as of April 2020, the database went online to facilitate remote work and has been unprotected ever since.

The Ministry further acknowledged that at the time of the incident the number of records of citizens of the Province of San Juan that were in the database was 115,282 and the personal data contained in the Andes Salud System database included full name, ID number, TAX ID number, gender, date of birth, photograph, telephone number and email address. According to the Ministry, the database did not contain data on patients infected with COVID-19.

The AAIP issued a report sustaining that the Ministry had failed to diligently ensure the security and confidentiality of the data, thus breaching sections 9 and 10 of Law No. 25,326.

It concluded that by “having local databases, programs or equipment containing personal data without the proper security conditions mandated by the regulation,” the Ministry had committed a serious offense under point 2, subsection k) of Annex I of DNPDP Provision No. 7 of November 8, 2005 and amendments.

At the same time, by “violating the duty of confidentiality required by section 10 of Law No. 25,326 on personal data incorporated into records, files, banks or databases,” the Ministry additionally committed a serious breach under point 2, subsection j) of Annex I of DNPDP Provision No. 7/05 and amendments.

The AAIP also highlighted that the sanctioned entity failed to meet AAIP Resolution No. 47 of July 23, 2018, which includes a serries of recommended security measures for processing and storing personal data in computerized media.

When evaluating the sanction, the AAIP considered different aspects of the case. In principle, it evaluated the documents outlining the work of the Province of San Juan and, thus, found that the Ministry had promptly activated the protocols of its technical areas to solve the vulnerability and mitigate its effects. It also took into account the province’s —and federal government’s— need to allocate the largest amount of its public funds to managing the economic and health crisis caused by the pandemic.

Therefore, because the Ministry has no prior offenses, the AAIP did not deem any monetary sanction to be justified and instead issued two warnings under Provision No. 7/2005 and amendments.

Finally, the AAIP held that, pursuant to  Law No. 25,326, it has jurisdiction to oversee the transfer of data carried out between different provincial agencies interconnected to the Andes Salud database in general and, in particular, the transfer of data between these organizations, pursuant to section 44 of the aforementioned law.