Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Switzerland
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
Online services newsletter Legal Flash
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Deutsch English Français
Back to main
Publication

GDPR Enforcement in Life Science & Healthcare

Deep dive into relevant data protection enforcement cases and insights for life science and healthcare

21 May 2026 Switzerland 5 min read

On this page

    The healthcare sector processes some of the most sensitive personal data under the GDPR, which is why it is one of the most strictly regulated areas of data protection enforcement. To date, DPAs from 27 different countries have imposed 265 fines (+44 compared to the 2025 ETR) totalling approximately EUR 32.3 million (+9.5 million compared to the 2025 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers. The number of new fines issued in 2025 in the healthcare sector is 26% higher compared to the previous reporting period, signalling that the slow growth trend of the last three years is picking up speed in both volume and total sum.

    As was the case in previous years and therefore as expected, the most common reason for fines was the lack of sufficient technical and organisational measures (TOMs), with a total of 100 fines (+17 compared to the 2025 ETR) and a total volume of EUR 22.8 million (+6.6 million compared to the 2025 ETR). With an average of EUR 228,161 per fine, TOM fines in 2025 were not as high as in the record year of 2024. Nevertheless, it should be emphasised that in 2025 four exceptionally high fines in the millions were imposed, of which the two highest were TOM fines. Such a high fine was imposed only once the previous year and not at all the year before.

    Regarding the countries from which the fines originated, Italy remains at the top with 95 fines issued in total. The runners-up are Spain with 30 and Germany with 29 fines issued.

    Let's take a closer look

    • The biggest healthcare case in 2025 (ETid-2561) originated in the United Kingdom with a fine of EUR 3.5 million. A ransomware attack in August 2022 allowed hackers to access systems of a health subsidiary via a customer account that lacked multi-factor authentication. As a result, the personal data of 79,404 individuals were put at risk. During its investigation, the UK Information Commissioner (ICO) found that the controller failed to implement appropriate technical and organisational measures to protect personal data.
       
    • The UK Information Commissioner (ICO) was also responsible for the second-highest fine amounting to EUR 2.7 million (ETid-2656). Although the case was similar to the largest case and also involved a cyberattack due to insufficient technical and organisational measures, it additionally provides interesting insights into five factors that influence the severity of the fine. The cyberattack exposed highly sensitive personal data on DNA information from more than 150,000 individuals over the course of at least five months. In addition, the controller's failure to identify the attack earlier and its failure to adequately inform the DPA about the breach  were aggravating factors.
       
    • Regarding TOM fines, the highly active Italian DPA focused on the use of software in healthcare facilities. A common problem in 2025 was software that allowed medical personnel to access more patient data than necessary for treatment (https://www.enforcementtracker.com/ETid-2888 and https://www.enforcementtracker.com/ETid-2889). This problem isn’t new. It has been a focus of the Italian DPA for years. In 2020, an Italian hospital was fined for granting unauthorised staff access to health data (ETid-212). In 2024, a university hospital was fined for the same reason  (ETid-2370).
       
    • Another significant reason for high GDPR fines remains non-compliance with general data processing principles. In a Spanish case resulting in a fine of EUR 1.2 million (ETid-3013), a hospital performed MRI scans and allowed patients to bring copies or originals of previous scans. The hospital then deleted the data immediately or after a very short amount of time, meaning that data subjects were unable to easily retrieve their data if they had brought them on physical data carriers. In a Finnish case resulting in a fine of EUR 1.1 million (ETid-2647), an online pharmacy used website tools that allowed the providers, who are based outside the EU, to access personal data without complying with the principle of data minimisation.
       
    • Negligence by healthcare facilities resulted in a high number of fines, especially in Romania. In one case (ETid-2546), the controller mistakenly sent a patient's health data via unsecured email to another patient. In another case (ETid-2685), the controller publicly exposed the access credentials for a data subject's email account on a workstation.

    Main takeaways

    The 2025 GDPR enforcement in healthcare shows that DPAs are no longer reluctant to impose very high fines, even amounting to millions. Although it remains to be seen whether the recent growth in fines was just a short-term spike, healthcare facilities should not assume that enforcement pressure will ease any time soon.
    TOM-related fines continue to dominate, giving healthcare facilities a clear incentive to adjust and strengthen their technical and organisational measures to protect personal data. In particular, the principles of data minimisation and limiting access within IT systems to what is necessary to fulfil each user's tasks should be the focus.
    As the GDPR does not specify exactly what constitutes "sufficient" technical and organisational measures, the requirements must be assessed on a case-by-case basis. Healthcare facilities should focus not only on external threats like cyberattacks but also on internal security regarding their own software and staff. In the latter scenario, role-based access control to health data should be implemented and negligence should be avoided by raising awareness among staff.
    Healthcare facilities should also note that their behaviour during and after a security breach can have a significant impact on the severity of fines.
    Lastly, general data processing principles should never be neglected. These principles stipulate fundamental requirements for data processing and are often straightforward to comply with. Failure to comply can result in heavy fines.

    Compliance hotspots

    • Hotspot 1: Data leaks due to ransomware attacks and other cyberattacks
       
    • Hotspot 2: Data leaks due to internal factors like insufficient role and access concepts, inappropriate software use or negligence
       
    • Hotspot 3: Not following general data processing principles as fundamental GDPR requirements

    Outlook

    For 2026, the European Data Protection Board (EDPB) has selected "compliance with transparency and information obligations" as the topic for its coordinated enforcement action. National authorities can therefore be expected to focus on reviewing and assessing privacy notices, consent forms and other information provided to patients and other data subjects. Data subject information should in any case be reviewed and updated regularly to ensure factual accuracy in compliance with the latest regulatory requirements. With the upcoming coordinated enforcement action in sight, now is a good time to review processes and update documentation where necessary.

    Based on the enforcement trends observed in 2025 and previous years, the other above-mentioned topics are likely to remain on DPAs' agendas in the healthcare sector. DPAs will almost certainly continue to scrutinise the cybersecurity posture of healthcare organisations with increasing rigour. In particular, the use of clinical software systems and electronic health records will likely remain a focus, especially for the Italian DPA.

    Even though there have not been any AI-related fines in the healthcare sector in 2025, AI-related fines were issued in other sectors such as media, telecoms and broadcasting. As AI-driven tools increasingly enter clinical workflows — from diagnostic support to patient triage — compliance with data protection obligations and with the requirements of the EU AI Act will become a priority for healthcare providers’ efforts and the DPAs’ enforcement activities.

    previous page

    8. GDPR Enforcement in Finance, Insurance and Consulting

    next page

    10. GDPR Enforcement in Individuals & Private Associations

    More insights
    GDPR

    Explore more

    Expert Guide International

    AI laws and regulation in Switzerland

    6 min read
    Event Switzerland

    IP Insights webinar series 2026

    03 Jun 2026
    Publication Switzerland

    CMS European M&A Study 2026

    27 Mar 2026 2 min read
    Back to top Back to top
    Warning: Fraudulent emails and messages
    Find out more
    If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.