Repeated incorrect sending of doctor’s letters, no logging function for access to patient data
The reason for the fine, is due to a data breach that occurred at a healthcare company.
Employees of the company repeatedly sent medical letters to a person who was not the person’s continuing physician, but who also practiced a medical profession. The data protection authority sees insufficient technical and organizational measures on the part of the company as the cause of this. Although the company was alerted to the sending of the data from the wrong recipient and it was marked with a blocking notice, a software update did not include this notice. This caused the data to be sent to the wrong person again.
Furthermore, at one site, the company did not have a function to log file accesses over the period of one year.
The penalty notice is legally binding.
Art des Verstoßes:
Illegal data processing
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
32. Security of processing
Activity Report 2021 HmbBfDI