The Centro Hospitalar Barreiro Montijo, near Lisbon, Portugal, has become the first hospital to be issued a penalty for violating the EU’s new General Data Protection Regulation (GDPR).
The Comissão Nacional de Protecção de Dados (CNPD), the body which oversees issues relating to data protection, prosecuted the Barreiro Montijo hospital for failing to ensure that adequate access restrictions were in place to protect the integrity of data stored in its patient management system.
The issue was first brought to the authorities’ attention in April 2018. Members of the Sindicato dos Médicos da Zona Sul (Medical Workers Union of the Southern Zone) who worked in the clinic discovered that non-clinical staff were using medical profiles to access the patient management system. Non-clinical staff would have no reason to access sensitive patient data, and therefore their actions were in violation of patient privacy protection laws.
CNPD conducted an audit of the hospital. Investigators discovered that while there were 985 “Physician” accounts in their system, there were in fact only 296 physicians employed at the hospital. Accounts in the “Physician” group would have full access to sensitive patient data. It was evident that non-physician staff were created fake profiles to gain unrestricted access to this private information.
CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data. Nine social workers employed at the facility used this to gain access to confidential patient data.
The failure to implement appropriate access controls is a violation of the GDPR, which came into force on May 25, 2018. GDPR overhauled data protection laws in the EU, most notably in giving individuals more rights over their data. GDPR also hopes to ensure that organisations, ranging from tech giants to hospitals, take their responsibility to protect the data of individuals more seriously.
The Barreiro Montijo hospital has been fined €400,000 ($455,050) for the GDPR violations. The fine was broken into two parts; €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services.
The hospital is making moves to appeal the GDPR penalty. In a statement, the board of the Lusa hospital unit, one of the hospital sites under the group, said: “The Centro Hospitalar Barreiro Montijo (CHBM) does not follow the assumptions and understanding of the National Data Protection Commission (CNPD) on this matter, […] We are currently preparing a judicial challenge.”
This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalties that can be issued for a GDPR violation are huge, up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater. It is possible that early fines levied against organisations will be more lenient, acting as a “grace period” as organisations get used to the new regulations.
In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to one of Germany’s largest chat platforms, Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.
Knuddels.de was fined €20,000 ($22,750). The fine was a fraction of the theoretical maximum was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.
