Penalty against hospital

Penalty against hospital

After a fine was already imposed on a hospital in Portugal, a case has now also come to light in the Czech Republic.

Due to inadequate technical implementation, the authority imposed a fine of CZK 40,000 (approx. € 1550).

Background

Following a complaint from a patient, the Czech data protection authority initiated proceedings against the hospital in the city of Tábor. The complainant stated that the electronic medical records could be both viewed and altered by unauthorized persons. The DPA therefore focused on this aspect and found that the protocols established for each medical record were incomplete. Based on these logs, it is not clear who accessed the medical record. There is also no change log. In addition, it was noted that with the exception of psychiatric patients, any physician can access all medical records. This is precisely why a reliable access log is essential.

Due to the defects found, the authority imposed the above fine. The hospital accepted the penalty amount.

Conclusion

Once again, it becomes clear that the technical protection of data processing is essential. Countless fines have already been imposed because the measures taken were inadequate. Since the GDPR requires state of the art processing, a regular review is necessary.

To optimally protect personal data, even small and medium-sized businesses need a powerful but easy-to-use firewall. Our easyGDPR data protection and data security package offers the right device with the Sophos Next-Generation Firewall.

Entscheidungsdatum:
30.09.2018

Land:
Czech Republic

Art des Verstoßes:
technical deficiency

Betroffene Datensätze:
unknown

Waren sensible Daten betroffen?:
Yes

verhängte Geldstrafe:
€ 1,550,-

Quelle:
Communication from the Czech data protection authority UOOU (Czech)