The following article was written by our partner Gabriela Szlak and our associate Luciano N. Gutman, and published by the IAPP (International Association of Privacy Professionals) in its Latin America Digest. The original version in Spanish can be read here.
During April 2025, a cyberattack was reportedly detected targeting a technology provider in the healthcare sector in Argentina that serves approximately 30 medical centers. According to various sources, as a result of this incident, more than half a million patients’ medical records were allegedly put up for fraudulent sale. Unfortunately, this episode is not an isolated case but rather adds to previous data breaches in the healthcare industry from late 2024.
At a recent event organized by the non-governmental organization Association for Civil Rights, it was noted that in Argentina, “(…) cybersecurity has not been a priority on the public agenda, and current regulations do not effectively link information security with personal data protection”. The Personal Data Protection Law, which was once a regional benchmark, has become outdated in light of technological advancements and the risks and opportunities they entail. For example, unlike more modern regulations such as those in the European Union, Brazil, or Chile—which has not yet entered into force—the Argentine law does not clearly establish an obligation to notify authorities or affected individuals when security incidents occur.
Beyond what has been stated so far, it is important to highlight that both the public and private sectors in Argentina have promoted initiatives to supplement the current law in an effort to establish a regulatory framework aligned with present-day challenges. In this regard, in 2018 the Agency for Access to Public Information (hereinafter, the “Agency”), the data protection authority of the country, published a series of recommended security measures for the processing and storage of personal data.
Within this framework, the Agency has recommended that, in the event of security incidents that may compromise personal data, companies take actions to mitigate the damage, prepare reports on the incident, and submit them to the Agency. Although formally these are non-binding recommendations, in recent years the failure to notify affected individuals and the Agency has been used as grounds to sanction companies that experienced data breaches. This position taken by the authority is particularly significant when the leaks involve sensitive data, such as health information contained in medical reports.
With regard to the private sector, at the aforementioned ADC event it was noted that various industry stakeholders “(…) have implemented advanced security measures, such as default data encryption, anonymization of sensitive information, and restricted access mechanisms based on principles of necessity and proportionality (…)”.
The attack mentioned at the beginning of this article demonstrates that it is not enough for a company to implement internal information security controls; rather, a cross-cutting approach is required—one that involves both the service provider chain within the relevant sector and the ongoing training of the human resources of each entity involved in the processing of personal data. In this regard, it is essential to complement such controls with clear obligations requiring providers to comply with the company’s security standards.
Companies in the healthcare sector can also adopt more advanced measures regarding data governance and the protection of patient privacy. Among these, two stand out: the Record of Processing Activities and the Data Protection Impact Assessment (known respectively as RoPA and PIA). The Record of Processing Activities serves as a detailed inventory of the operations a company performs on personal data. It includes key information such as the purpose of the processing, the categories of data and data subjects involved, the recipients of the data, any potential international data transfers, retention periods, and the security measures applied to the processing.
This mapping enables companies to identify what data they process and how it is processed, optimizing their operations and facilitating the detection of potential vulnerabilities. A Data Protection Impact Assessment, in turn, can be defined as “(…) a process that organizations must carry out to identify and address the risks that may arise from their regular activities, new projects, or corporate policies when these involve the processing of personal data”. These assessments are documented in a final report and an action plan to mitigate the risks identified during the process. They are particularly useful in contexts where a company plans to implement new technologies that will affect the processing of health data —for example, the launch of a mobile application for scheduling appointments or for providing online patient care.
Although these tools are not mandatory under the current Argentine regulations, their adoption demonstrates a proactive commitment to privacy and can be useful for healthcare companies by facilitating data governance and the identification and mitigation of risks. In fact, the Agency considers the implementation of accountability measures when assessing the application and severity of sanctions imposed on companies in cases involving complaints or incidents.
Until Argentina’s Personal Data Protection Law is updated, initiatives from both the public and private sectors are crucial for safeguarding patients’ health data and, consequently, fundamental rights such as privacy, dignity, and honor.
It is important to highlight that the 2023 draft Personal Data Protection Law, which lost parliamentary status last year, included the obligation to notify both the supervisory authority and the affected individuals about incidents compromising personal data. However, unlike more advanced regulations such as those in the European Union or Brazil, the Argentine draft required the reporting of any such breach, without applying a risk-based approach. In comparative law, criteria are established to help companies determine when it is necessary to notify an incident, thereby avoiding an excessive burden on both the companies and the authority responsible for processing such reports.
From the perspective of affected individuals, being notified of every security incident can have an adverse effect—either by causing unnecessary stress or by leading them to downplay critical situations and, as a result, fail to take appropriate measures to mitigate actual harm. For this reason, we believe that future reform bills in Argentina should prioritize a risk-based approach and promote accountability regarding notification of data breaches.
Some privacy-related conclusions and recommendations for healthcare companies:
- Contracts with service providers: Sign written agreements with providers that establish the required information security standards, considering the nature of the information and the personal data the provider will process. These contracts should also clearly define responsibilities in the event of incidents, establish indemnities in favor of the company, and include clauses regulating data processing (or refer to the company’s data processing agreement), as well as the use of subprocessors.
- Cyber insurance: Evaluate obtaining an insurance that covers damages resulting from data breaches. Depending on each provider’s profile, it may also be advisable to require them to obtain this type of cyber insurance.
- Record of Processing Activities (RoPAs): Engage the different areas of the company in identifying and documenting all activities involving the processing of personal data. This inventory should include key information such as the categories of data processed, the purpose of the processing, the data recipients, retention periods, and the security measures in place.
- Data Protection Impact Assessments (PIAs): Before implementing new processes or technologies for processing personal data—especially when sensitive data is involved—it is recommended to carry out an assessment that identifies the risks to data subjects (in this case, healthcare patients) and defines technical and organizational measures to mitigate them.
- Incident documentation: Document all data breaches that affect personal data. The report should describe the incident, identify the categories of personal data and individuals affected, and detail the technical and organizational measures taken to mitigate the impact and prevent recurrence.
- Incident notification: Although current regulations in Argentina do not clearly require it, consider notifying the Agency and the affected individuals. This decision should be made in coordination with the legal team, information security, and any other relevant departments within the company, such as product or public relations.
If your company or organization requires advice on privacy and personal data protection matters, do not hesitate to contact our team at info@lermanszlak.com.
Gabriela Szlak
T° 79 F° 516 CPACF
Luciano N. Gutman
T° 145 F° 535 CPACF
________________________________________________________________________________________________________________________________
1- News available in Spanish at: https://www.forbesargentina.com/innovacion/tras-hackeos-centros-medicos-grupo-rossi-especialistas-alertan-falta-inversion-ciberseguridad-sector-salud-n63802
2- News available in Spanish at: https://www.clarin.com/tecnologia/hackean-proveedor-software-medico-argentina-venden-resultados-estudios-pacientes_0_HmJFy0ZYib.html
3- “Sexual and reproductive health: Challenges and opportunities to ensure the security and privacy of sensitive data” – an event organized non-governmental organization Association for Civil Rights, with the support of the British Embassy in Argentina. The executive summary is available in Spanish at: https://adc.org.ar/wp-content/uploads/2025/03/Resumen-ejecutivo-Dialogo-sobre-la-Seguridad-y-Privacidad-de-los-Datos-en-Salud-Sexual-y-Reproductiva.pdf.
4- Resolution 47/2018 of the Agency for Access to Public Information. Available in Spanish at: https://www.argentina.gob.ar/normativa/nacional/resoluci%C3%B3n-47-2018-312662/texto
5- See, for example, the Agency’s Resolution in File No. EX-2020-83150939—APN-DNPDP#AAIP. Available in Spanish at: https://www.argentina.gob.ar/sites/default/files/rs-2021-146-apn-dnpdpaaip_censurado.pdf.
6- Sexual and Reproductive Health: Challenges and Opportunities to Ensure the Security and Privacy of Sensitive Data’ – an event organized by the Asociación por los Derechos Civiles (ADC), with the support of the British Embassy in Argentina. The Executive Summary is available in Spanish at: https://adc.org.ar/wp-content/uploads/2025/03/Resumen-ejecutivo-Dialogo-sobre-la-Seguridad-y-Privacidad-de-los-Datos-en-Salud-Sexual-y-Reproductiva.pdf
7- Data Protection Impact Assessment Guide developed by the Agency for Access to Public Information of Argentina and the Regulatory and Personal Data Control Unit of Uruguay. Available in Spanish at: https://www.argentina.gob.ar/sites/default/files/guia_final.pdf
8- Article 6 of Annex II of Resolution 126/2024 issued by the Agency for Access to Public Information. Available in Spanish at: https://www.argentina.gob.ar/normativa/nacional/resoluci%C3%B3n-126-2024-399750/texto
