The Comissão Nacional de Protecção de Dados (CNPD), Portugal’s GDPR supervisory authority, has penalized Barreiro Montijo hospital near Lisbon for the failure to control access to patient information saved in its patient management system.
In April 2018, a report sent to the supervisory authority about Barreiro Montijo hospital’s lack of data access controls. Healthcare workers in the southern zone found out that non-clinical staff were able to access the patient management system using profiles that should have been restricted to physicians.
CNPD conducted an audit and found that there were 985 hospital employees with access rights to sensitive patient health data, but only 296 doctors at the hospital. Access to such detailed patient information should only been given to doctors of the hospital. CNPD discovered that there was a test profile with unrestricted administrator access to patient information and nine social workers were given access to sensitive patient information.
Failing to implement proper access controls violates the EU’s General Data Protection Regulation (GDPR), and such a serious violation required a GDPR violation penalty. The hospital was fined a total amount of €400,000 ($455,050) for the GDPR violations. The fine for failing to limit patient data access was €300,000 and for failing to protect the integrity, confidentiality and availability of treatment systems and services, the hospital was fined €100,000. Barreiro Montijo hospital is taking legal action over the GDPR penalty.
This is the first GDPR violation fine for a hospital and the first issued by Portugal’s GDPR supervisory authority. The penalty could have been much higher. The maximum possible fine is €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.
A GDPR financial penalty was also issued in November by the supervisory authority in Germany, Baden-Württemberg Data Protection Authority. The chat platform Knuddels.de was fined €20,000 ($22,750) for failing to secure the personal data of EU residents. It’s data breach exposed 808,000 users’ email addresses and 1.8 million usernames and passwords. The fine is also relatively low. The data protection authority said it was not seeking maximum fines and commended Knuddels.de for the level of transparency over the breach, the high level of cooperation with the data protection authority, and the speed at which security upgrades were implemented after the breach.