Health Care

GDPR Enforcement Tracker Report - Health Care

So far, 19 DPAs (+6 in comparison to the ETR 2020) have imposed 46 fines (+29 in comparison to the ETR 2020) on hospitals, pharmacies, physicians and a medicine supplier amounting to a total of more than EUR 9.7 million (+7.47 million in comparison to the ETR 2020).

The single biggest group of fines related to insufficient technical and organisational measures, and hence a lack of data security. There were 21 fines in this area, amounting to a total of around 8.9 million or more than 90% of the total amount of fines in the healthcare sector. 10 fines were levied due to the lack of a legal basis for processing, adding up to a total of around EUR 440,000. This reconfirms a trend already identified in last year's report.

Let's take a closer look

  • Judging by the fines issued, the authorities mainly focused on larger institutions such as hospitals and online pharmacies. Only a few fines concerned individual doctors.
  • The main issues which were fined concern cases of insufficient protection of personal data due to the specific setup or configuration of the IT-systems used. In particular, 7 fines were issued by the Swedish data protection authority to hospitals which failed to restrict access to patient data on a need-to-know basis. Fines for this violation ranged from around EUR 240,000 (ETid-469 & ETid-470) to EUR 2,900,000 (ETid-473). A closer review of the authorities' reasoning shows that the decisive factor for the actual amount of the fine was the turnover of the group of companies to which the responsible entity belongs. The fine of EUR 2.9 million was issued due to the unrestricted access of 606 employees to the Swedish centralised patients' database "TakeCare" with data concerning around 3 million individual patients. The relevant turnover of the group to which the private hospital company belongs was found to be EUR 3.4 billion.
  • 3 further significant fines for insufficient technical and organisational measures concerned the insufficient protection of current prescriptions stored by the pharmacies. The prescriptions were accessible to any third party that had knowledge of the respective patient's access code and confirmed themselves that the patient had permitted access to the prescriptions. The authority accepted that third parties need to be able to purchase prescription medicines for third parties but also stated that a simple confirmation by third parties themselves in conjunction with knowledge of an access code was insufficient to ensure valid consent by the patient and to prevent unwanted access. The fines amounted to EUR 100,000 per pharmacy.
  • Further fines from the previous reporting period also concern insufficient access management systems of hospitals that allowed excessive access by unauthorised persons. Fines ranged from EUR 30,000 in Italy (ETid-212) (in a case where only 2 individual doctors had access to health data of their colleagues) to EUR 400,000 in Portugal (ETid-45) and EUR 460,000 in the Netherlands (ETid-63), where the entire patient database was insufficiently protected.
  • Fines for individual doctors ranged from EUR 2400 for a missing privacy policy on the website (ETid-468) to EUR 3000 for data storage without access protection in a doctor's office (ETid-490) and EUR 6000 for insufficiently protected remote access channels to the data (ETid-491).

Main takeaway

The key issues regarding data protection in the health care sector concern technical aspects of data protection and, in particular, inappropriate setup (or lack thereof) of access management systems. Especially in hospitals, IT systems for processing patient data frequently appear to be open to the entire workforce without sufficient restrictions.

The reasons can only be inferred but may be due to the fear that access restrictions and usability issues (such as forgotten passwords or lost security tokens) may obstruct fast access to the relevant patient data to the detriment of the patients.

This seems to be a common issue across many healthcare institutions and does not have a particular regional focus, thereby indicating a general issue. This could be an occasion to join forces of all stakeholders involved – such as healthcare institutions, software developers and data protection authorities – to develop access protection systems that meet both the need of the healthcare professionals to have unobstructed and expedient data access and the data protection requirements.