Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) – €30,000 Fine (Italy, 2020)

€30,000Garante per la protezione dei dati personali23 January 2020Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A hospital in Verona was fined €30,000 for not protecting patients' health data properly. Unauthorized staff accessed colleagues' health records due to weak security measures. This case shows the importance of following data protection guidelines to safeguard sensitive health information.

What happened

A hospital allowed unauthorized access to patients' health data by failing to implement adequate security measures.

Who was affected

Patients whose health records were accessed by unauthorized hospital staff.

What the authority found

The authority determined that the hospital's security measures were insufficient, leading to unlawful data access and processing.

Why this matters

This ruling highlights the critical need for hospitals to follow data protection guidelines to prevent unauthorized access to sensitive health information. Medical facilities must ensure that only relevant health personnel can access patient records.

GDPR Articles Cited

Art. 32 GDPR
Art. 5(1)(f) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) actions
Full Legal Summary
Detailed

The fine was preceded by access to health data by unauthorised persons, allowing a trainee and a radiologist to gain access to the health data of their colleagues. The investigations revealed that the technical and organisational measures taken by the hospital to protect health data had proved to be insufficient to ensure adequate protection of patients' personal data, resulting in unlawful data processing. According to the data protection authority, the breach could have been avoided if the hospital had simply followed the guidelines for health records issued by the data protection authority in 2015, which stipulate that access to health records must be restricted only to health personnel involved in patient care.

Related Enforcement Actions (0)

No other enforcement actions found for Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

23 January 2020

Authority

Garante per la protezione dei dati personali

Fine Amount

€30,000

Enforcement Tracker ID

ETid-212

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Azienda Ospedaliero Universitaria Integrata di Verona (Hospital) - Italy (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: