ST. OLAVS HOSPITAL HF – €75,600 Fine (Norway, 2021)

The Norwegian DPA has fined St. Olav's Hospital in the amount of EUR 75,600. The hospital suffered three data leaks in accordance with Art. 33 the GDPR. The first incident had occurred between January 13, 2011, and January 27, 2020, at the hospital's cardiology department following an upgrade for a new treatment-oriented health registry for the cardiology laboratory. In connection with the upgrade, a test server was used on which treatment reports were temporarily cached and then copied to the new system. However, the reports in the test server were not deleted. Moreover, another error occurred, which allowed all authenticated employees to access the reports. About 21,000 reports were affected. The second breach occurred in the period from May 17, 2015 to January 28, 2020, when reports from medical devices (pulse oximeters for long-term measurement of oxygen saturation and pulse) were stored in a file area accessible to any employee with an authenticated and active account. The third breach occurred in the period from January 01, 2018 to December 09, 2019. Passwords for various databases were stored in plain text in a file on the hospital's server. Employees with an active hospital system account were able to first connect to the server viaRemote Desktop and then search for a file with a password in the database. The DPA found that the hospital had failed to establish effective access controls.