Prosecutor general launches probe into unauthorized access to health accreditation system

The Lithuanian Prosecutor General’s Office has launched a pre-trial investigation into the alleged unauthorized access to the information system of the State Accreditation Service for Health Care Activities (SAM), Prosecutor General Nida Grunskienė confirmed on Tuesday.

Speaking to journalists at the Seimas, Grunskienė stated that the investigation began on Tuesday following a report from the Ministry of Health. “Today we received a report from the Ministry of Health and a pre-trial investigation has been launched (…) into the unauthorized access to information systems,” she said.

Earlier, Health Minister Marija Jakubauskienė disclosed that a cyber incident was detected late on Monday in a system managed by SAM. According to preliminary findings, attackers exploited a vulnerability in the open-source tool “Apache Superset” to gain unauthorized access. However, the central e-health system, which stores sensitive patient data, was not compromised.

The incident may have exposed and allowed the copying of personal data belonging to over 62,000 healthcare professionals, as well as administrative and technical metadata from approximately 156 institutions.

The Prosecutor General’s Office later specified that the investigation was initiated under Article 198 of the Criminal Code, which pertains to unauthorized access to an information system. The Lithuanian Criminal Police Bureau has been tasked with conducting the investigation.

Grunskienė also addressed recent data breach incidents involving state institutions, including the Registrų Centras (RC) and potential breaches in the Migration Department’s employee accounts. She noted that a pre-trial investigation into the RC incident, launched in mid-April, has been expanded to include charges of failure to perform official duties.

“All evidence is being collected, and we are trying to answer all questions. I can also say today that we have no information that there have been attempts to break into registers containing biometric data of individuals (…) The pre-trial investigation is ongoing, I don’t know what will happen in a month,” Grunskienė said.

The expanded investigation aims to determine whether all institutions involved fulfilled their duties properly and to address public information concerns.

Earlier reports also suggested a possible breach in the email accounts of employees at institutions under the Ministry of the Interior. Interior Minister Vladislavas Kondratovičius stated that the ministry’s information systems and residents’ biometric data remain secure, clarifying that the suspicions relate to email inboxes of employees at VRM institutions.

On April 15, the Prosecutor General’s Office launched an investigation into an incident at the Registrų Centras, where over 600,000 real estate records were potentially stolen, resulting in damages estimated at no less than 111,000 euros. The State Data Protection Inspectorate estimates the number of affected residents to be slightly lower, at around 500,000.