Cyber Incident Victim: Azienda Sanitaria Provinciale di Palermo

On 18 June 2025, the Azienda Sanitaria Provinciale di Palermo experienced a cyber attack that disrupted operations. The organization publicly confirmed the incident on 19 June 2025 after observing ongoing operational difficulties. Approximately forty-five corporate workstations were affected by the attack. At the time of disclosure, it was not possible to determine with certainty which organizational units or structures were linked to the compromised workstations.

The potentially exposed data include personal and identifying information, contact details, and data pertaining to administrative practices. Additional data categories remain under investigation and have not yet been fully identified. Because the specific individuals whose data may have been compromised could not be ascertained, the organization deemed the public notice to serve as an alternative notification under Article 34 paragraph 3 letter c of the GDPR. This approach fulfills the regulatory requirement to inform data subjects when direct communication is not feasible.

In response, the ASP immediately isolated the compromised workstations to prevent further spread. It activated its internal security protocols and initiated a forensic analysis to ascertain the scope and origin of the breach. The incident was reported to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) as required by Article 33 of the GDPR. The organization also began cooperating with judicial authorities and other competent bodies conducting the investigation. Individuals seeking clarification may contact the Data Protection Officer via the email address [email protected].