Health Care

To date, DPAs from 25 different countries have imposed 154 fines (+60 in comparison to the 2022 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers. This means that in the health care sector, the number of annual fines has increased by 25% compared to the previous reporting period. More fines have been issued in the past year alone than in the previous reporting periods taken together. The sum of fines now amounts to about EUR 15.7 million (+3 million in comparison to the 2022 ETR). As the number of fines has increased by 25%, this means that the average amount of fines was lower in 2022 than in recent years.

The increase in the annual number of fines combined with the decrease in the average amount of fines could be interpreted to mean that in 2022, the authorities have again widened the scope of their supervisory activities and are also addressing less prominent cases.

The predominant field of data protection violations remains the lack of sufficient technical and organisational data protection measures with a total of 55 fines (+14 in comparison to the 2022 ETR) and a total volume of fines of EUR 11.3 million. With an average of EUR 18.500, most of the fines issued in this area in 2022 were however comparatively low – as was the case in the 2021 ETR. There is however one exception: In a case where the insufficient technical and organisational data protection measures resulted in a data breach, a fine of EUR 1.5 million was imposed.

Regarding the countries from which the fines originated, Italy again takes the lead with 23 of the 60 new fines in the health care sector. Runners-up are Romania and Spain with four fines each.

Let's take a closer look

As in recent years, the main reason for the fines was that technical and organisational measures were insufficient or (partly) missing.

  • The largest fine, amounting to EUR 1.5 million (ETid-1136) was imposed in France for a data leak at a software solution provider for medical laboratories. The incident resulted in the leak of nearly 500,000 individuals' data, including health data. The French DPA (CNIL) identified several GDPR violations, among them insufficient technical and organisational data protection measures; e.g. that the data at rest had not been stored in encrypted form, that no standardized procedure for data migration operations had been implemented and that (public) areas of the relevant servers were accessible without authentication. The case shows that in devising, implementing and assessing technical and organisational data protection measures, it is necessary to also consider areas adjacent to the "core" data processing activities, such as data migration processes and other (public) areas of the IT systems used.
  • The importance of considering the context of the processing activities was also demonstrated in a case reported from Sweden. The Swedish DPA (IMY) had issued a fine of EUR 17,900 for sending out letters with invitations for patient visits where the respective healthcare facility, such as a children's hospital, was visible on the envelope window. The DPA found that this visibility allowed unauthorized persons to gain access to patients' personal data (ETid-1579).
  • In the current reporting period, the (un-)availability of data has also become subject to fines. With EUR 460,000, the second highest fine in the health care sector in the reporting period has been imposed by the Irish DPA (DPC) (ETid-1666) on a data controller which suffered a ransomware attack. In the course of the attack, records of about 70,000 people were accessed, altered and/or destroyed. About 2,500 records were affected permanently. A fine (of EUR 20,000) for the unavailability of data was also imposed by the Hellenic DPA (ETid-1362). In the case, a patient's request to access raw data from an imaging examination could not be fulfilled, as the original images had been deleted and only the doctor's assessment had been stored. The violation of storage obligations under Greek national law was found to lead to a violation of the GDPR. Likewise, the Hungarian DPA (NAIH) fined an individual physician EUR 1,500 for not complying with a patient's request to be provided with their complete medical records (ETid-1443).
  • A recurring cause for fines was the lack of (or insufficient implementation) of access policies to patient's files. For example, the Italian DPA (Garante) imposed fines of EUR 70,000 (ETid-1297), EUR 50,000 (ETid-1298) and EUR 40,000 (ETid-1514) in cases where employees of a healthcare facility had accessed patients' health data even though they were not involved in the treatment of the patients and such access was not required.
  • Several cases concerned the inadvertent disclosure of patients' data. In this area, the fines awarded cover a particularly wide range. Violations of individual patients are subject to comparatively high fines per affected patient. For example, the Italian DPA imposed a fine of EUR 7,000 in two cases where an individual had mistakenly received medical records of another patient via e-mail (ETid-1528, ETid-1274) and EUR 3,000 for the loss of one patient's record (ETid-1416). On the other hand, in a case where a patient's confidential health information was emailed to more than 1,870 recipients in an unsecured attachment, the fine imposed by the DPA of the Isle of Man amounted to EUR 202,000 (ETid-1352) and in the case described above involving the disclosure of data of 500,000 individuals, the French DPA imposed a fine of EUR 1.5 million (ETid-1136).

Main takeaways

The key causes of fines in the health care sector continue to originate from technical and organisational data protection deficiencies and – as has been the case in the previous reporting period – in particular, inappropriate setup (or lack) of access restrictions and access management systems. This remained a common issue across many healthcare institutions and without a particular regional focus.

The reported cases indicate that risks of data protection violations also exist regarding the (un-) availability of data and in areas that might not be the focus of attention such as data migration and the fact that health-related information may inadvertently be disclosed by indicating the sender on mail envelopes.

Finally, it is noteworthy that – as in the past year – the Italian DPA has been particularly active in the field of health care.