Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb – €75,000 Fine (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Azienda sanitaria dell'Alto Adige was fined for allowing unauthorized healthcare workers to access patients' health records. This matters because it shows how important it is for companies to protect sensitive personal data. People deserve to know that their health information is safe and only accessible to those who should see it.
What happened
Azienda sanitaria dell'Alto Adige allowed unauthorized staff to access patients' electronic health records.
Who was affected
Patients whose health records were accessed by unauthorized healthcare personnel.
What the authority found
The authority found that the company failed to protect personal data, violating GDPR's requirements for data security and access control.
Why this matters
This case highlights the need for strict access controls in healthcare settings. Companies must ensure that only authorized personnel can view sensitive data to avoid serious privacy breaches.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The DPA received two complaints and two infringement notifications alleging unlawful processing of personal data carried out by Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb (the controller) through their health data record system. Specifically, repeated accesses were made to the electronic health record (‘HER’) system by unauthorized healthcare personnel. In fact, some of the staff members had unrestricted access to the dossier of patients they did not treat. The data subjects complained about repeated access to the controller’s system concerning their health records during a period of time when he was not in the hospital or undergoing treatment. The controller argued that some of the accesses were repeated within a very short period of time for technical reasons. However, they admitted that some accesses were "unjustified" or limited to "only the list of health services performed and not the relevant details". The controller explained that the system currently allows healthcare workers to access the EHR if there is a clinical-administrative event present. In cases where no clinical-administrative event is traced in the system (e.g., patient calling the professional for post-hospitalization clarifications), the healthcare worker can access the EHR by selecting an appropriate reason from a predefined list. In one case, a healthcare worker was able to access the laboratory tests of her ex-husband without his knowledge. The worker was then subject to disciplinary proceedings and consequently suspended following a complaint for abusive access pursuant to Article 615-ter of the Italian Criminal Code. Additionally, the DPA discovered that EHR files were not protected by a system for detecting any anomalies that could constitute unlawful processing, such as alerts. The DPA emphasized the importance of using tools to detect alerts signaling anomalous or risky behavior by authorized data processors to comply with the principles under Article 5(1)(a) an
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
22 February 2024
Authority
Garante per la protezione dei dati personali
Fine Amount
€75,000
GDPRhub ID
gdprhub-7972About this data
Cite as: Cookie Fines. Azienda sanitaria dell'Alto Adige - Südtiroler Sanitätsbetrieb - Italy (2024). Retrieved from cookiefines.eu
Last updated: