Penalty against hospital
Due to inadequate technical implementation, the authority imposed a fine of CZK 40,000 (approx. € 1550).
Following a complaint from a patient, the Czech data protection authority initiated proceedings against the hospital in the city of Tábor. The complainant stated that the electronic medical records could be both viewed and altered by unauthorized persons. The DPA therefore focused on this aspect and found that the protocols established for each medical record were incomplete. Based on these logs, it is not clear who accessed the medical record. There is also no change log. In addition, it was noted that with the exception of psychiatric patients, any physician can access all medical records. This is precisely why a reliable access log is essential.
Due to the defects found, the authority imposed the above fine. The hospital accepted the penalty amount.
Once again, it becomes clear that the technical protection of data processing is essential. Countless fines have already been imposed because the measures taken were inadequate. Since the GDPR requires state of the art processing, a regular review is necessary.
To optimally protect personal data, even small and medium-sized businesses need a powerful but easy-to-use firewall. Our easyGDPR data protection and data security package offers the right device with the Sophos Next-Generation Firewall.
Art des Verstoßes:
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
32. Security of processing
9. Processing of special categories of personal data