Cyber Incident Victim: Rezzan Günday

The data breach involving Rezzan Günday (Şimşek Pharmacy) was publicly disclosed by the Turkish Data Protection Authority (KVKK) on August 18, 2020. According to the KVKK’s announcement, the incident originated from the actions of a former employee who improperly accessed and transferred patient data to another pharmacy without authorization. The breach timeline extended from October 2019 until its discovery, spanning approximately 10 months. Compromised data included Turkish identification numbers, telephone numbers, and special category health information, which is afforded heightened protection under Turkish data protection laws due to its sensitivity. The former employee’s misconduct specifically involved extracting patient identification details to facilitate the transfer of prescription drug supply operations to a competing pharmacy, bypassing patient consent or notification.

The KVKK’s disclosure did not specify technical intrusion methods but emphasized the breach resulted from insider misuse rather than external cyberattacks. No public statements from Şimşek Pharmacy regarding containment measures, forensic investigations, or victim notifications were referenced in the announcement. The breach’s primary impact centered on the unlawful processing and transfer of health-related personal data, exposing affected individuals to potential privacy violations and unauthorized use of their medical information. The KVKK’s public notification served as the primary regulatory response, highlighting the incident’s duration and scope to underscore compliance failures. Consequences included the prolonged exposure of sensitive patient data and the subversion of pharmaceutical service protocols through illicit data sharing between pharmacies. The absence of disclosed remediation steps by the pharmacy left the regulatory announcement as the sole public account of organizational or corrective actions.