Health Care

To date, DPAs from 26 different countries have imposed 202 fines (+48 in comparison to the 2023 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers. This means that in the health care sector, the number of annual fines has decreased by 20% compared to the previous reporting period. The sum of fines now amounts to about EUR 16.5 million (+0.8 million in comparison to the 2023 ETR). With this, last year’s strong growth regarding the number and sum of fines has been stopped for the moment.

While the annual number of fines has decreased by 25% compared to 2023 the annual sum of fines has decreased by over 70%. This shows that the trend of lower average fines which already emerged in the previous years continues.

The predominant field of data protection violations remains the lack of sufficient technical and organisational data protection measures (TOMs) with a total number of 71 fines (+16 in comparison to the 2023 ETR) and a total volume of fines of EUR 11.6 million. With an average of EUR 17,500 per fine, most of the fines issued in the area of TOMs in 2023 were however comparatively low as the overall average GDPR fine in the health care sector in 2023 amounts to EUR 27,300. In contrast to last year, there was no exceptionally high fine issued in this area. The highest fine amounts to only EUR 81,000.

Regarding the countries from which the fines originated, Italy again takes the lead with 23 fines issued in 2023. Runners-up are Romania and Spain with five and three fines issued.

Let's take a closer look

  • The biggest health care case in 2023 (ETid-1666) originated in Ireland with a fine of EUR 460,000. The controller suffered a ransomware attack in which personal data was accessed, altered and destroyed without authorization. The attack was made possible by inadequate technical and organizational measures to protect personal data. The gravity of the infringement was viewed as serious since data records of approximately 70,000 people were affected, of which 2,500 were permanently affected. Moreover, a failure to adequately document the events in connection with the actual breach contributed to the serious gravity of the infringement because it resulted in lack of certainty about the full nature of the attack. This case shows once again the importance of adequate TOMs to deal with the threat of ransomware attacks not only preventive prior to an attack but also reactive during and after an attack. The case joins the long list of fines issued because of insufficient technical and organisational data protection measures.
  • Cyber security played a big role in 2023 as two cases in Italy show: in the first case (ETid-1828), a data breach allowed the unauthorized access to health records of several patients. The breach was caused by a deficiency in the electronic health record service. Again, sufficient technical and organisational measures were not taken. In the second case (ETid-2080), yet another ransomware attack caused by inadequate security measures used a virus to restrict access to the healthcare facility’s database. The DPA not only found insufficient precautions to prevent an attack such as an authentication procedure based only on the use of username and password, but also criticised inadequate measures after the breach: the breach was not detected in a timely manner. Over 800,000 patients were affected. In both cases, a fine of EUR 30,000 was imposed, making them one of the ten highest fines issued in 2023.
  • For the first time ever since the GDPR came into effect, Lithuania issued a health care related GDPR fine in 2023 (ETid-2200), making it the 26th member state to do so. It addressed the common issue of companies not comprehensively fulfilling their obligations arising from the GDPR. The fine of EUR 8,000 was issued to a company for failing to properly fulfil the data subject's right to access their personal data processed. While the request was partially fulfilled, the data subject was not given the opportunity to verify the legal basis for the processing of their personal data, the specific data being processed, the purposes of processing etc. For example, the company did not state any recipients or categories of recipients of personal data but rather stated that the recipients were “in accordance with the procedure established by law”. In similar cases from Italy and Finland addressing the request of a data subject for access to their personal information, a health authority did not respond to a request for access (ETid-1633) or did not state a reason why the requested records could not be provided (ETid-2052).
  • Even in 2023, the Covid-19 pandemic was subject to several rather high health care related GDPR fines. In an Italian case (ETid-2107), a hospital had restricted access to its services to people with a Covid-19 Green Pass. The DPA found that during the pandemic, public interest in the area of public health provided a sufficient legal basis for the data processing. However, with the Italian state terminating the state of emergency and the pandemic coming to an end, the data processing could not be justified anymore. The fine of EUR 60,000 exemplifies the need to check the legal basis for data processing not only at the beginning, but throughout the whole processing period. In another case from Italy (ETid-2191), the Italian DPA issued a fine of EUR 40,000 because a patient's spouse had received their husband's COVID test report from an employee of the health authority without authorization.

Main takeaways

While the trend of growing annual numbers of fines ended this year, key reasons for fines in the health care sector continue to originate from technical and organisational data protection deficiencies and highlight the ubiquitous risk of cyber attacks and breaches. This remained a common issue across many healthcare institutions and without a particular regional focus.

The cases also show that not only preventive measures, but also measures during and after a breach or an attack are required under the GDPR in order to minimize its impact. The lack of such measures resulted in more severe infringements and thus higher fines.

Finally, it is noteworthy that Italy remains very active in the field of health care and that Covid-19 related GDPR infringements remain relevant even in 2023. This stresses the requirement to regularly re-assess the legal basis for processing of personal data.