Portugal
Public Hospital
400,000 €
GDPR enforcement action by Portuguese Data Protection Authority (CNPD) on 2018-07-17.
Rank · Sector
#18
of 270 in Health Care
Rank · Portugal
#3
of 7
Rank · All fines
#267
of 3,051
Case details
- Authority
- Portuguese Data Protection Authority (CNPD)
- Date
- 2018-07-17
- Controller / Processor
- Public Hospital
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.
Open original source
Links to the regulator's original publication or another source.
Related fines
Portugal
2022-11-02
4,300,000 €
ETid-1524
Portuguese National Statistical Institute
Public Sector and Education
Portugal
2021-12-21
1,250,000 €
ETid-995
Lisbon City Council
Public Sector and Education
Portugal
2022-11-02
180,000 €
ETid-1498
Setúbal municipality
Public Sector and Education
Portugal
2019-02-05
20,000 €
ETid-76
Unknown
Not assigned
Portugal
2019-03-25
2,000 €
ETid-77
Unknown
Not assigned
Portugal
2019-03-19
2,000 €
ETid-108
Unknown
Not assigned