GDPR fine after careless storage of health data
The London-based pharmacy Doorstep Dispensaree Ltd had to pay a GDPR fine for their insecure storage of information about their patients. The company supplies medicines to customers and care homes. The Medicines and Healthcare Products Regulatory Agency found insecurely stored documents and alerted the ICO (Information Commissioner’s Office, Data Protection Authority in the UK), which launched an investigation.
The ICO found approximately 500.000 documents with information about patients dated between June 2016 and June 2018 in unlocked containers outside. These documents contained names, addresses, dates of birth, NHS numbers, medical information and prescriptions of an unknown number of people. Some documents were already damaged by water, due to missing protections against the elements. The pharmacy has to pay 275.000 pounds in fines. The pharmacy also received an enforcement notice. It now needs to correct its data protection practices within three months. If it doesn’t comply, further actions may follow.
The GDPR affects a wide variety of information. It also includes data “saved” in paper form. According to the GDPR, data controllers have to protect personal data from unauthorized access and damages. In addition, health data belongs to a special category of personal data that require additional protection.
Type of Issue:
inadequate data protection
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph: