Guarantor for privacy: two hospitals and one AUSL sanctioned
The Guarantor for privacy has sanctioned two hospitals and an AUSL, they had communicated medical information to the wrong people.
The three structures fined are the Sienese University Hospital , the University Hospital of Parma and the Romagna Local Health Authority . The two hospitals were fined € 10,000, while the fine was € 50,000 for the Romagna AUsl.
Serious errors that led the Privacy Guarantor to prosecute the three health facilities with penalties as a pecuniary administrative sanction. Healthcare facilities are obliged to take all technical-organizational measures aimed at preventing patient data from being falsely communicated to the wrong people.
This time they have nothing to do with cyber attacks on IT systems or phishing against hospitals. In all three cases, the errors are attributable to hospital staff as a result of inadequate procedures and common material errors.
The Sienese University Hospital received a fine of 10,000 euros . The Tuscan hospital was found guilty of sending, by post to the wrong people, a document containing a medical report as part of a genetic counseling, containing data on the health and sexual life of another couple of people.
For the University Hospital of Parma, the administrative sanction imposed by the Privacy Guarantor was 10,000 euros . The Company was found guilty of having delivered medical records with personal data (name, surname, tax code, residence, date of birth) and reports attributable to a minor to other patients.
In these two cases, the penalties were calculated taking into account the high degree of cooperation demonstrated with the Guarantor and that, moreover, the incidents were isolated and not voluntary. Among other things, the two hospitals decided to undertake further and immediate technical and organizational measures aimed at minimizing human error.
The third case, certainly the most serious, happened to the AUSL of Romagna and concerns a patient hospitalized in the gynecology department. During hospitalization, the patient had explicitly requested - by signing a specific form - that no external person, not even family members, be informed about her state of health. However, the completed and signed form had been included in his medical record.
After discharge, the patient was contacted by telephone by a nurse in the ward where the woman had performed the therapies, but not being aware of her request, instead of contacting her on the private mobile phone she made the call to the home number registered in the company registry . An error that led her to speak with the patient's husband.
The Company, having recognized the errors that caused the release of highly sensitive information to unauthorized persons, has undertaken to implement a computerized system for managing the telephone numbers of hospitalized patients, preparing a unique form thanks to which patients will be able to future express their willingness to communicate or not information on their state of health to third parties, introducing a specific company policy.
In addition to an administrative fine of 50,000 euros in violation of the GDPR , the AUSL also suffered a request for compensation from the patient.
The Guarantor is evaluating cases similar to those described, he wanted to remember that all information on the state of health of a person can be disclosed to third parties only on the basis of a legal assumption, or only on the precise indication of the person concerned after written authorization.
The Guarantor urged all health facilities to undertake serious measures capable of preserving full compliance with the principles of correctness and transparency, the adoption of technical and organizational measures suitable, not only to protect themselves from cyber attacks but also to avoid data breaches sensitive, especially those concerning people's health.
The three structures fined are the Sienese University Hospital , the University Hospital of Parma and the Romagna Local Health Authority . The two hospitals were fined € 10,000, while the fine was € 50,000 for the Romagna AUsl.
Serious errors that led the Privacy Guarantor to prosecute the three health facilities with penalties as a pecuniary administrative sanction. Healthcare facilities are obliged to take all technical-organizational measures aimed at preventing patient data from being falsely communicated to the wrong people.
This time they have nothing to do with cyber attacks on IT systems or phishing against hospitals. In all three cases, the errors are attributable to hospital staff as a result of inadequate procedures and common material errors.
The Sienese University Hospital received a fine of 10,000 euros . The Tuscan hospital was found guilty of sending, by post to the wrong people, a document containing a medical report as part of a genetic counseling, containing data on the health and sexual life of another couple of people.
For the University Hospital of Parma, the administrative sanction imposed by the Privacy Guarantor was 10,000 euros . The Company was found guilty of having delivered medical records with personal data (name, surname, tax code, residence, date of birth) and reports attributable to a minor to other patients.
In these two cases, the penalties were calculated taking into account the high degree of cooperation demonstrated with the Guarantor and that, moreover, the incidents were isolated and not voluntary. Among other things, the two hospitals decided to undertake further and immediate technical and organizational measures aimed at minimizing human error.
The third case, certainly the most serious, happened to the AUSL of Romagna and concerns a patient hospitalized in the gynecology department. During hospitalization, the patient had explicitly requested - by signing a specific form - that no external person, not even family members, be informed about her state of health. However, the completed and signed form had been included in his medical record.
After discharge, the patient was contacted by telephone by a nurse in the ward where the woman had performed the therapies, but not being aware of her request, instead of contacting her on the private mobile phone she made the call to the home number registered in the company registry . An error that led her to speak with the patient's husband.
The Company, having recognized the errors that caused the release of highly sensitive information to unauthorized persons, has undertaken to implement a computerized system for managing the telephone numbers of hospitalized patients, preparing a unique form thanks to which patients will be able to future express their willingness to communicate or not information on their state of health to third parties, introducing a specific company policy.
In addition to an administrative fine of 50,000 euros in violation of the GDPR , the AUSL also suffered a request for compensation from the patient.
The Guarantor is evaluating cases similar to those described, he wanted to remember that all information on the state of health of a person can be disclosed to third parties only on the basis of a legal assumption, or only on the precise indication of the person concerned after written authorization.
The Guarantor urged all health facilities to undertake serious measures capable of preserving full compliance with the principles of correctness and transparency, the adoption of technical and organizational measures suitable, not only to protect themselves from cyber attacks but also to avoid data breaches sensitive, especially those concerning people's health.