Società Ospedale San Raffaele srl – €70,000 Fine (Italy, 2022)
Società Ospedale San Raffaele srl was fined €70,000 for exposing patients' email addresses in newsletters. This ruling matters because it shows that hospitals must protect patient information to maintain trust and comply with data protection laws.
What happened
The hospital accidentally revealed email addresses of patients in newsletters by using the wrong email format.
Who was affected
Patients of the hospital whose email addresses were exposed to each other.
What the authority found
The Italian DPA found that the hospital violated GDPR by not adequately protecting personal data, even if it was a human error.
Why this matters
This case highlights the need for strict data security measures in healthcare. Organizations should implement training and protocols to prevent similar mistakes.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is Società Ospedale San Raffaele srl (a hospital). The data subjects are the patients of the hospital. The controller notified the DPA of two data breaches. The email addresses of (1) 499 recipients of a newsletter from the Neurology Operative Unit and (2) 90 recipients of a newsletter from the Transplant and Metabolic-Bariatric Surgery unit in the CC instead of the BCC. This exposed the email addresses of all recipients to each other. The controller stated that because of the limited scope of the violation, there is no concrete risk for the rights and freedoms of the data subjects. It further argued 193 email addresses did not contain references to any names, so they were not personal data. The controller also stated that it happened due to a human error. The controller adopted new technical and organisational measures to ensure data security. This included additional training, possible disciplinary sanctions against the person responsible and/or their superior and the establishment of a working group supervised by the DPO to implement these measures. Regarding the controllers argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names. Moreover, (2) it included health data (Article 4(15) GDPR) as the newsletters were send to patients of the respected medical facilities, thus revealing possible information about their health. The DPA noted that the processing of health data can have significant risks for the fundamental rights and freedoms of data subjects. There was no legal basis for the processing activities. The DPA therefore held that the controller violated Article 5(f) (principles of integrity and confidentiality) and Article 9 by communicating personal data, including health data to third parties without a legal basis. The DPA fined the controller € 70,000. When deciding the fine, the DPA took the unintentional nature of the breach, the addi
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Società Ospedale San Raffaele srl in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
28 April 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€70,000
GDPRhub ID
gdprhub-5024About this data
Cite as: Cookie Fines. Società Ospedale San Raffaele srl - Italy (2022). Retrieved from cookiefines.eu
Last updated: