Numerous high-profile data breaches, leaks and other security incidents had been reported in South Africa in the past year, among them Lancet Laboratories, which had suffered multiple breaches and was fined R100 000 for failing to respond to the South African Information Regulator’s demands to address shortcomings in its systems, reports BusinessTech.
Information Regulator chairperson Pansy Tlakula said Lancet had paid the fine, which was issued after it failed to comply with an enforcement notice issued in September 2024, but it was concerning that the body had failed to notify the data subjects affected by the security compromise.
The Information Regulator issued the enforcement notice after it found Lancet had not notified people that their data had been exposed within a reasonable period, as required under the Protection of Personal Information Act (POPIA), and it had been ordered to urgently implement adequate security safeguards to protect personal information and prevent unauthorised access.
Lancet was also told to establish and maintain proper breach notification processes to ensure affected data subjects are notified without undue delay, and instructed to review and update internal procedures to comply with section 22 of the, which deals with breach disclosures.
When the company failed to meet these requirements, the regulator imposed a R100 000 penalty through a POPIA infringement notice, which Tlakula confirmed it has paid.
During the 2024/25 financial year, 2 374 data breaches were reported, with an average of 198 notifications per month.
In the year-to-date since April 2025, the watchdog said 1 947 security compromise incidents were reported, adding up to a 40% increase in security compromises.
“The Regulator continues to be deeply concerned about the increased number of compromise incidents occurring,” Tlakula added, urging the public and private sectors to make the necessary investments in their information security capabilities.
She said companies and institutions must develop and maintain appropriate technical and organisational measures to secure the integrity and confidentiality of personal information in their possession.
Under current regulations, companies are required to notify the regulator and the data subjects whose information has been compromised, but do not need to make a public statement.
Based on the Information Regulator’s report, thousands of security compromises in South Africa do not become publicly known.
See more from MedicalBrief archives:
Medical providers most likely to be the culprits in health data breaches
SA has highest percentage of human error healthcare data breaches – report