Actual Cases

Portuguese Data Protection Authority Imposes 400,000 € Fine on Hospital

GDPR News: 400,000 € Fine on Hospital

The Barreiro Hospital in Portugal was fined 400,000 € by the Portuguese Data Protection Authority CNPD (Comissão Nacional de Proteção de Dados) for incompliancy with the EU General Data Protection Regulation (GDPR) by not separating access rights to patents’ clinical data.

Portuguese Data Protection Authority Imposes 400,000 € Fine on Hospital
Source Image: kefron.com

The public sector hospital had granted access to patients’ clinical data via their system to at least nine persons who are non-medical professionals (social workers). In addition, the CNPD discovered that 985 users with an access role for medical doctors were registered, while there are only 296 physicians working at the hospital. Furthermore, patient data at Barreiro hospital was not separated properly from archived data of another hospital, and access authentication mechanisms were found to be insufficient.

The fines were imposed after the Authority had carried out an inspection at the hospital after having been alerted by the medical association. The CNPS held that the principles of integrity and confidentiality, data minimization in order to limit access to patients’ clinical data, and the controller’s inability to ensure the confidentiality and integrity of the data in their system (data security) were violated. The first two breaches were considered with 150,000 € each, while the third led to an increase by 100,000 €.

Read the full article from here