Punishment against hospital
A hospital in Portugal was sentenced to a fine for failing to comply with the GDPR. The Portuguese data protection authority noted that access to medical data was not limited to doctors and other medical personnel, but users with the “technician” profile could also indefinitely view patient medical records. Furthermore, it was found that approximately 900 active user accounts with the profile “doctor” were present, although the hospital employs only about 300 doctors.
Decision data:
17.07.2018
Country:
Portugal
Type of Issue:
technical deficiency
Number of involved data records:
unknown
Special category of data involved:
Yes
Fine:
€ 400,000,-
Violation of GDPR Paragraph:
32. Security of processing
Reference:
heise.de News (german)