Sahlgrenska University Hospital, Board of directors – €308,000 Fine (Sweden, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Swedish DPA fined Sahlgrenska University Hospital for not properly managing access to patient records. Despite having a system to track access, the hospital allowed too many employees to view sensitive information without proper justification. This case emphasizes the importance of strict access controls in healthcare settings.
What happened
Sahlgrenska University Hospital allowed broad access to patient records without conducting proper risk assessments.
Who was affected
Patients whose medical records were accessed by employees at Sahlgrenska University Hospital.
What the authority found
The Swedish DPA found that the hospital did not take adequate measures to protect patient data, violating GDPR's data protection rules.
Why this matters
This decision stresses the need for healthcare institutions to enforce strict access controls and conduct regular risk assessments. It serves as a cautionary tale for similar organizations handling sensitive data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
In April 2019, the DPA conducted an on-site inspection at Sahlgrenska University Hospital (Sahlgrenska universitetssjukhuset). The hospital is part of the Västra Götaland region. Four years earlier, the DPA had issued a supervisory decision concluding that the hospital had failed to carry out a necessity and risk analysis in accordance with the legal requirements. The hospital maintains the medical records of about 900 000 patients. There are about 25 000 user accounts with access to the medical records system, although the hospital has only about 18000 employees. The hospital cooperates with other branches of the Västra Götaland region and assumes that the employees in the departments with which it cooperates have a legitimate need for direct access to the medical records. For the purposes of [https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/patientdatalag-2008355_sfs-2008-355#K4P1 Chapter 4(1) of the Swedish Patient Data Act], the hospital considers this information to be lawfully shared within the same inner private zone (inre sekretess zon). All health care workers, including medical secretaries, have general access to all medical records, including those outside their department. If the patient has restricted access to his or her record, only those who work in that department can see the record. Doctors and nurses have general and emergency access. This means that they can access restricted medical records outside their department in a situation where the patient is unable to give consent. The hospital also maintains a log when a medical record is accessed. The log shall include the name of the health care professional, the portion of the record that was accessed, and the date and time of the last access. 1. has the hospital taken appropriate technical and organizational measures to protect personal data in medical records? a. Has the hospital conducted a proper necessity and risk analysis? b. Has the hospital assigned authorizat
Related Enforcement Actions (0)
No other enforcement actions found for Sahlgrenska University Hospital, Board of directors in SE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 December 2020
Authority
DPA Datainspektionen
Fine Amount
€308,000
3,500,000 SEK
GDPRhub ID
gdprhub-2983About this data
Cite as: Cookie Fines. Sahlgrenska University Hospital, Board of directors - Sweden (2020). Retrieved from cookiefines.eu
Last updated: