Gene data of 10,000 Estonians leaked

A ransomware incident has occurred at the Estonia-based genetic analysis company “Asper Biogene”. Personal and health data of around 10,000 people was stolen from the database. Some files contain test results from genetic tests requested by healthcare providers and individuals at the company.

In total, around 100,000 records were copied and downloaded. According to the Director General of the Estonian Data Protection Agency, Pille Lehis, more than forty healthcare companies are affected by the incident, including those offering fertility tests.

A security gap in the server has since been closed. An investigation has also been launched to preserve evidence. The Data Protection Authority has also initiated proceedings against the data processor, which specializes in the diagnosis of genetic diseases.

“Threats are not taken seriously”

Asper Biogene became aware of the illegal access to the data in mid-November. The company then informed the data protection authority and the police, among others. The fact that Asper Biogene is only now notifying those affected has earned the company criticism: “Unfortunately, the incident shows that threats in cyberspace are still not being taken seriously,” says Lehis. According to him, the consequences of the data leak could have been “mitigated if the data had been encrypted or pseudonymized within the company”.

Various Estonian authorities are now sounding the alarm. For example, the Estonian Ministry of Justice issued a press release warning against phishing emails: “You should be extremely vigilant if you receive an email from someone who plausibly presents the results of your genetic study and is now asking you to take further action,” it says. The processes of healthcare providers responsible for data processing should also be investigated.

(mack)