Penalty against medical practice

While visiting his primary care physician, an individual discovered that he was officially assigned to another practice, even though he had never been a patient there. As a result, a complaint was filed with the data protection authority.

During the course of the investigation, it was discovered that the individual had previously had a different primary care physician. After the change, the patient was set to “inactive” in the software there.

Later, however, the practice was sold, and in the course of the patient transfer, not only the active patients were transferred by mistake, but also all the inactive patients. In the course of the change, the state health insurance company was also informed about the alleged change.

The data protection authority saw a violation of the General Data Protection Regulation and imposed a fine in the amount of 1000 lev, which corresponds to approximately € 500.

Entscheidungsdatum:
08.04.2019

Land:
Bulgaria

Art des Verstoßes:
Illegal data processing

Betroffene Datensätze:
1

Waren sensible Daten betroffen?:
Yes

verhängte Geldstrafe:
€ 500,-

Violation of GDPR Paragraph:

5. Principles relating to personal data processing
9. Processing of special categories of personal data

Quelle:
Communication from the Bulgarian Data Protection Authority (Bulgarian)