← All articles

redaction

Lithuania: €450,000 GDPR fine for lack of MFA at InMedica

Lithuania’s DPA fined InMedica €450,000 over two incidents (2024 breach, 2025 ransomware), citing lack of MFA and poor access controls under GDPR Articles 5(1)(f), 24(1) and 32(1)(b).

On 29 June 2026, the Lithuanian DPA (VDAI/SDPI) imposed a €450,000 fine on UAB InMedica following two separate incidents: an unauthorized access disclosed in September 2024 in Kardiolita’s patient system (with InMedica becoming Kardiolita’s legal successor on 25 June 2025) and a 2025 ransomware attack that encrypted four systems processing patient and employee data. The investigation found a lack of multi‑factor authentication (MFA) for external and privileged access, along with insufficient password strength.

Legal framework and basis

The DPA relied on Articles 5(1)(f) (integrity and confidentiality), 24(1) (controller responsibility) and 32(1)(b) (risk‑appropriate security, including strong authentication). These obligations sit at the core of the GDPR security requirements and accountability. The decision highlights inadequate authentication for external connections and the lack of restriction to authorized users only. Considering the cumulative facts (2024/2025), the sensitive nature of the data (health), and the scale of processing, a single sanction was imposed on InMedica as Kardiolita’s legal successor.

What this means for Luxembourg organizations

  • Clear signal on MFA and remote access: absence of MFA on external access to sensitive systems is a breach of Article 32. Organizations handling health, HR, finance or other critical systems should treat phishing‑resistant MFA as a baseline.
  • Legal continuity and liability: in universal transfer (merger/acquisition), the successor remains liable for past shortcomings. Cyber‑GDPR due diligence and post‑closing remediation plans are essential.
  • Scope and timing: two spaced incidents with the same root causes (access controls, MFA) significantly aggravate sanctions under Article 83 if no effective fix is demonstrated.
  • Regulated sectors in Luxembourg: EU expectations align with local supervisors (CSSF/ILR). Entities under NIS 2 and DORA face compounded risk if strong authentication, logging and privilege control are missing. See how NIS 2 obligations in Luxembourg impact access management.

Concrete actions to take this week

  • Map external and privileged access: inventory admin accounts, bastions and RDP/VPN/SSH flows; enforce phishing‑resistant MFA (FIDO2/WebAuthn) on all external and privileged accounts; immediately revoke dormant accounts.
  • Harden access controls and passwords: apply least privilege, robust secret policies, directory hardening (Microsoft Entra/Azure AD, LDAP), IP filtering and conditional access.
  • Test and evidence: run a restoration test on critical assets; verify completeness and correlation of auth/admin logs; update risk analysis and DPIA; compile evidence of compliance with Articles 24 and 32. An access and authentication‑focused cybersecurity audit can accelerate readiness.

Bottom line

The case underscores MFA and access control as central to GDPR compliance and shows that failing to remediate between similar incidents weighs heavily in sanctioning.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →