Moss municipality – €49,200 Fine (Norway, 2021)

The Norwegian DPA (Datatilsynet) has fined the municipality of Moss EUR 49,200 for inadequately securing personal data. In January, the municipality of Rygge was annexed to the municipality of Moss. For this reason, several IT systems from both municipalities were combined. Due to inadequate security measures, a data breach occurred in a productive system used in the municipality's health service. This system processed personal and health data and affected people who live in the municipality and use the health center. The system is used for services related to immunization programs in the municipality, as well as for other health checks and follow-ups of pregnant women. About 2000 people were potentially affected by the breach. Due to the data breach, errors had occurred in vaccine registration. As a result, the data subjects were at risk of receiving the wrong vaccines. There was also a potential for their immunization data to be misfiled in the national immunization registry. Furthermore, errors occurred in follow-ups for pregnant women, including information on the week of pregnancy or the mother's drug use. Also, patient information was provided to health workers in a health service ward without being required and without access being documented.