€400,000 GDPR fine imposed by Portuguese Data Protection Authority. | Hospital pays huge penalty for allowing unauthorised access to patient records.
In July, the Portuguese Supervisory Authority (CNPD) imposed a fine of €400.000 on a hospital, for infringement of the GDPR. The violation and subsequent penalty was not made public at the time.
Earlier this week, the hospital publicly announced that it intends to contest the fine.
During an investigation,the CNPD discovered that hospital employees had access to patient data through false profiles. Investigators noticed an anomaly in Barreiro Montijo hospital’s profile management system. It appeared that 985 users were registered on the system under the ‘Physician’ category. However, only 296 physicians were indicated as working at the hospital.
GDPR fine imposed … for allowing unauthorised access
The CNPD concluded that the hospital did not put in place adequate technical and organizational measures to protect patient data.
Moreover, the hospital did not consult the Ministry of Health concerning suspected security deficiencies in the government provided system. It also failed to set rules and access levels for creating user accounts, and did not remove former doctors’ accounts.
The Publico newspaper reported that two fines had been issued as a result of the CNPD audit. The first fine of €300,000, for failure to respect patient confidentiality and limit access to patient data. The second €100,000 fine was for failing to “ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services”.
In its defence, the hospital said that it uses the IT system provided to public hospitals by the Portuguese Health Ministry. The CNPD argued that it was the hospital’s responsibility to ensure that any IT systems it uses are GDPR compliant.
The hospital also challenged the CNPD’s jurisdiction to impose fines because the proposed law adapting GDPR had not yet been actioned. However, the CNPD responded that its powers under the existing Data Protection Act continue after GDPR law is enacted.
Data Protection Act stands – while GDPR is implemented
Portugal has not yet implemented the GDPR. But, in this case the CNPD applied GDPR principles and relied on the GDPR to determine the fine. This is one of the largest fines imposed by the country’s DPA to date. The current law allocates half of the fine to the CNPD budget – the future implementing law will likely contain a similar provision.
Editor’s comment: All businesses and non-commercial organisations have a responsibility to safeguard the personal information of living persons stored in their data systems. Unauthorised access to records, whether internally, or via cyber attack can be immensely costly, in terms of financial penalties and reputational damage.