Sweden
Capio St. Göran AB
2,900,000 €
GDPR enforcement action by Data Protection Authority of Sweden (Integritetsskyddsmyndigheten) on 2020-12-03.
Rank · Sector
#4
of 270 in Health Care
Rank · Sweden
#5
of 46
Rank · All fines
#106
of 3,050
Case details
- Authority
- Data Protection Authority of Sweden (Integritetsskyddsmyndigheten)
- Date
- 2020-12-03
- Controller / Processor
- Capio St. Göran AB
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 5 (2) GDPR, Art. 32 (1) GDPR, Art. 32 (2) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Swedish DPA (Integritetsskyddsmyndigheten) fined Capio St. Göran AB SEK 30,000,000 (EUR 2,900,000) for failing to implement adequate technical and organizational measures to ensure information security. It was found that there was no risk analysis regarding the access to patient data. Authorizations for users of the hospital information systems Cosmic, Nationell patientöversikt and TakeCare were not assigned according to the principle of minimum access. This gave users full access to confidential patient data that they did not need for work purposes.
Open original source
Links to the regulator's original publication or another source.
Related fines
Sweden
2020-03-11
5,000,000 €
ETid-232
Google LLC
Media, Telecoms and Broadcasting
Sweden
2023-06-12
4,900,000 €
ETid-1876
Spotify
Media, Telecoms and Broadcasting
Sweden
2024-08-29
3,200,000 €
ETid-2449
Apoteket AB.
Health Care
Sweden
2023-08-28
3,000,000 €
ETid-2021
Trygg-Hansa
Finance, Insurance and Consulting
Sweden
2021-06-21
1,600,000 €
ETid-733
Storstockholms Lokaltrafik
Transportation and Energy
Sweden
2020-12-03
1,463,000 €
ETid-466
Aleris Sjukvård AB
Health Care