Details:

Summary The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients’ personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.
Link: link
Related articles:  Art. 5 (1) f) GDPR, Art. 32 GDPR
Type: Insufficient technical and organisational measures to ensure information security
Fine: EUR 30,000
Sector Health Care

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law