Italy

Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)

30,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2020-01-23.

Rank · Sector

#81

of 270 in Health Care

Rank · Italy

#159

of 543

Rank · All fines

#884

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2020-01-23
Controller / Processor: Azienda Ospedaliero Universitaria Integrata di Verona (Hospital)
Sector: Health Care
Quoted Articles: Art. 5 (1) f) GDPR, Art. 32 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.

Open original source Links to the regulator's original publication or another source.