Penalty for lost medical record
A patient of a hospital has made use of his right to information and requested from a hospital all personal data that are stored there about him.
However, the hospital was unable to respond positively to the request because the patient’s file was lost. The data subject then complained to the data protection authority in Cyprus.
In the course of the investigation, the authority clarified that data protection not only includes protection against unauthorized access but also ensuring that personal data is not lost. Therefore, the hospital has violated the General Data Protection Regulation. A fine in the amount of € 5,000 was imposed. The agency emphasized that the penalty originally considered would have been significantly higher if the hospital had not taken immediate steps to prevent such incidents in the future.
Conclusion
When it comes to data protection, the first thing that comes to mind is protection against unauthorized access. Yet this topic encompasses much more. Companies must also ensure that collected data is accurate. Outdated records pose a risk to companies and the data subject. Therefore, the General Data Protection Regulation has also introduced the right of rectification.
Another key aspect of data protection, however, is data availability. If data is lost and there is no backup, then not only do you risk being fined by the data protection authority, as this case shows, but a company also loses its business basis. Data loss does not necessarily mean that a hard disk has become defective. Currently, a particularly large number of encryption Trojans are up to mischief and demand a ransom for encrypted data. Therefore, it is essential for companies to efficiently protect their computer networks from cybercriminals. One way to do this is with our easyGDPR package for data protection and data security. This way, you not only create your procedure directory and thus fulfill the formal requirements of the DSGVO, but are also optimally protected against threats from the Internet thanks to the latest firewall.
Please also note our article on the subject: https://easygdpr.eu/de/2019/06/schutzvorcyberattacken/
Entscheidungsdatum:
15.02.2019
Land:
Cyprus
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
1
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 5,000,-
Violation of GDPR Paragraph:
unknown
Quelle:
Decision of the Cyprus Data Protection Authority (Cypriot)