Bambino Gesù Pediatric Hospital – €8,000 Fine (Italy, 2024)

Bambino Gesù Pediatric Hospital in Rome reported a data breach involving its "Charter of Health" portal. On a specified day, a patient mistakenly accessed another patient's report due to a software error. The issue stemmed from the Dedalus Dnlab software provided by Dedalus Italia S.p.A., which sent incorrect patient identifiers in HL7 messages. This caused reports to be wrongly associated with patients in the hospital's integrated systems. The breach affected 24 reports. The hospital promptly notified authorities and took corrective actions, including requesting Dedalus to implement non-regression testing to prevent future occurrences. They also communicated with affected patients and provided additional support. Dedalus contended that it was not contractually required to perform regular vulnerability assessments and argued that the error was accidental and limited in scope. They claimed the breach was due to an isolated incident and requested either the closure of the case or a lesser penalty. The findings underscored that Dedalus, despite its arguments about the limitations of its contractual obligations, did not adequately address the security needs or conduct necessary periodic checks and failed to implement appropriate technical and organizational security measures as required by GDPR. As a result, the breach lasted for four days and involved a manageable number of patients with no substantial evidence of damage or misuse. In response, the Authority imposed a fine of €8,000 for non-compliance with GDPR standards.