Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb – €75,000 Fine (Italy, 2024)
Azienda sanitaria dell'Alto Adige was fined EUR 75,000 for allowing unauthorized staff to access patient health records. This is important because it emphasizes the need for strict access controls to protect sensitive health information.
What happened
Azienda sanitaria dell'Alto Adige allowed unauthorized healthcare personnel to access electronic health records.
Who was affected
Patients whose health records were accessed by staff members who were not involved in their treatment.
What the authority found
The authority ruled that the company violated GDPR rules by not properly controlling access to sensitive health data.
Why this matters
This ruling stresses the importance of safeguarding personal health information. It serves as a warning to healthcare providers to ensure only authorized personnel have access to patient records.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA received two complaints and two infringement notifications alleging unlawful processing of personal data carried out by Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb (the controller) through their health data record system. Specifically, repeated accesses were made to the electronic health record (‘HER’) system by unauthorized healthcare personnel. In fact, some of the staff members had unrestricted access to the dossier of patients they did not treat. The data subjects complained about repeated access to the controller’s system concerning their health records during a period of time when he was not in the hospital or undergoing treatment. The controller argued that some of the accesses were repeated within a very short period of time for technical reasons. However, they admitted that some accesses were "unjustified" or limited to "only the list of health services performed and not the relevant details". The controller explained that the system currently allows healthcare workers to access the EHR if there is a clinical-administrative event present. In cases where no clinical-administrative event is traced in the system (e.g., patient calling the professional for post-hospitalization clarifications), the healthcare worker can access the EHR by selecting an appropriate reason from a predefined list. In one case, a healthcare worker was able to access the laboratory tests of her ex-husband without his knowledge. The worker was then subject to disciplinary proceedings and consequently suspended following a complaint for abusive access pursuant to Article 615-ter of the Italian Criminal Code. Additionally, the DPA discovered that EHR files were not protected by a system for detecting any anomalies that could constitute unlawful processing, such as alerts. The DPA emphasized the importance of using tools to detect alerts signaling anomalous or risky behavior by authorized data processors to comply with the principles under Article 5(1)(a) an
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
22 February 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€75,000
GDPRhub ID
gdprhub-7972About this data
Cite as: Cookie Fines. Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb - Italy (2024). Retrieved from cookiefines.eu
Last updated: