Yesterday we talked about the first GDPR fine issued by the Austrian Data Protection Authority paving the way for the future slew of fines to come. We didn’t expect however that that would be on the very same day. The Portuguese Data Protection Authority (CNPD) joins the club with a €400, 000 fine issued to Barreiro Hospital for non-compliance with the EU GDPR by not separating access rights to patients’ clinical data.
The Authority had been alerted by the medical association and carried out an inspection finding that the hospital had granted access to patients’ medical data to at least nine non-medical professionals (social workers) via their system. It was also discovered that 985 users with an access clearance as medical doctors were registered, while the number of working physicians in the hospitals was actually 296. The CNPD also discovered that patient data at the hospital was merged with archived data of another hospital, and access authentication mechanisms were found to be insufficient.
The CNPS claims that the principles of integrity and confidentiality, data minimization and the controller’s inability to ensure the confidentiality and integrity of the data in their system were violated. The first two breaches were considered with €150,000 each, while the third led to an increase of €100,000.
The hospital, however, is questioning the CNPD’s authority for imposing such fines and it may still request a judicial review of the CNPD’s decision.