Sykehuset Østfold HF – €65,250 Fine (Norway, 2020)

Østfold Hospital notified the DPA about a personal (patient) data breach, including insufficient security (lack of access controls and logs, not adhering to own policies and procedures) and storing personal data longer than necessary. Datatilsynets launched an investigation, which was concluded with a fine on 22 October 2020. The DPA held that Article 32, cf. Article 24 and 5(1)(f), as well as the Health Records Act § 22, were breached due to unauthorized access to patient data; that Article 32, cf. Article 24 and 5(2), as well as the Health Records Act § 23, were breached due to unauthorized access to and possible unauthorized alteration of patient data; that Article 32, cf. Article 24 and 5(1)(f) and 5(2), as well as the Health Records Act §§ 22 and 23, were breached due lack of confidentiality, integrity and availability and that Article 32, cf. Article 24 and 5(1)(e), as well as the Health Records Act § 23, were breached due to unlawfully storing personal data. The DPA finally held that the medical records system's option for extracting patient reports was not in line with the principles of data protection by design and default, cf. Article 25, cf. Articles 32 and 24, and that Østfold Hospital failed to adhere to the requirements as per Article 30 for this processing activity.