Tag: Health Data

Fine imposed on the City of Oslo

2. January 2020

The Norwegian data protection authority (datatilsynet) recently imposed a fine of €49,300 on the city of Oslo. The reason for the fine was that the city has kept patient data outside the electronic health record system at the city’s nursing homes/health centres from 2007 to November 2018.

The case became known because the City of Oslo reported a data breach to the Data Protection Authority in November 2018. This report included information that various governmental and private nursing homes/health centres were using work sheets. These contained information about the residents, such as their daily needs and care routines, but also full names and room numbers. The work sheets were stored on the respective intranet of the institution and all employees, including for example cleaning staff, had access to this data.

After the procedure came to the surface, the Nursing Home Agency instructed all nursing homes/health centres to delete the work sheets immediately. Due to the way the data was stored, it is not possible to determine who exactly accessed the data and when, and whether unauthorised persons were among them.

In calculating the amount of the fine, the Data Protection Agency has taken into account that the City of Oslo reported the incident itself and has taken quick steps to delete the data. It was also taken into account that the incident occurred for the most part in the period before the new Data Protection Act (in force since July 2018) came into force and that under the old Data Protection Act the maximum amount of a fine was €100,000.

Health data transfered to Google, Amazon and Facebook

18. November 2019

Websites, spezialized on health topics transfer information of website users to Google, Amazon and Facebook, as the Financial Times reports.

The transferred information are obtained through cookies and include medical symtoms and clinical pictures of the users.

Referring to the report of the Financial Times does the transfer take place without the express consent of the data subject, contrary to the Data Protection Law in the UK. Besides the legal obligations in the UK, the procedure of the website operators, using the cookie, contradicts also the legal requirements of the GDPR.

According to the requirements of the GDPR the processing of health data falls under Art. 9 GDPR and is a prohibition subject to permission, meaning, that the processing of health data is forbidden unless the data subject has given its explicit consent.

The report is also interesting considering the Cookie judgement of the CJEU (we reported). Based on the judgment, consent must be obtained for the use of each cookie.

Accordingly, the procedure of the website operators will (hopefully) change in order to comply with the new case law.

 

Aetna to pay fine for HIV privacy breach

31. January 2019

Healthcare insurer Aetna will have to pay a 935,000$ fine after letters had been sent to nearly 12.000 patients in 2017, disclosing highly sensitive information on the windows of the envelopes.

The information revealed that the recipients were taking HIV-related medications.

In addition, the insurance company will have to complete privacy risk assessments annualy for three years.

The patients have received compensation through a private class action settlement.

 

400,000€ fine for a Portuguese hospital

24. October 2018

The Portuguese data protection supervisory authority CNPD (Comissão Nacional de Protecção de Dados) recently announced that the hospital Barreiro Montijo is to pay a fine of 400,000€ for incompliancy with the EU General Data Protection Regulation (GDPR). This is the first time that a high fine has been imposed in Europe based on the new GDPR framework of fines.

According to Portuguese newspaper Público, the hospital has violated the GDPR by allowing too many users to have access to patient data in the hospital’s patient management system, even though they should only have been visible to medical doctors. In addition, too many profiles of physicians have been created in the hospital system. The CNPD discovered that 985 users with the access rights of a medical doctor were registered, although only 296 physicians were employed in 2018.

The hospital now wants to take legal action against the fine.