Hälso- och sjukvårdsnämnden, Region Västerbotten – €220,000 Fine (Sweden, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Swedish DPA fined the Västerbotten Region Healthcare committee €220,000 for not properly assessing risks before granting access to patient records. This is important because it shows that healthcare organizations must take responsibility for protecting patient data.
What happened
The Västerbotten Region Healthcare committee failed to conduct adequate risk assessments before allowing access to patient files.
Who was affected
Patients whose medical records were accessed by healthcare workers in the Västerbotten region were affected.
What the authority found
The DPA decided that the healthcare committee did not meet legal requirements for risk assessments and was responsible for ensuring proper data protection measures.
Why this matters
This case highlights the accountability of central management in healthcare organizations for data protection. It underscores the importance of comprehensive risk assessments to safeguard patient privacy and comply with GDPR.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The DPA opened an investigation against the Västerbotten Region Healthcare committee (Hälso- och sjukvårdsnämnden) on 22 March 2019. The DPA wanted to investigate whether a risk and needs assessment was carried out before healthcare workers were given access to patient files from their own department and files from other healthcare departments. The DPA had already found in 2015 that the Region of Västerbotten’ s needs and risk assessment did not comply with the requirements of the law and had instructed them to carry out a new assessment. Swedish healthcare regulations require that a caregiving institution conducts a risk and necessity analysis before granting its employees access to medical records. The caregiving institution must analyze what privacy risks patients face and what information employees need access to. The caregiving institution must use the analysis as a tool to ensure that each employee has access only to what he or she needs to do his or her job. The Healthcare committee is the executive body running the region's health care system. The committee's guideline on information security made the operational manager of each health care unit responsible to conduct a needs and risk analysis prior to giving a user account to a health care worker access to patient records. = The DPA held that the Västerbotten Region Healthcare committee did not have a needs and risk analysis that met the statutory requirements. The DPA did not accept the view of the Healthcare committee that it was the responsibility of the head of each health department to carry out the analysis. The DPA took the view that the central management of the healthcare committee was responsible for carrying out such an analysis and that it was an organizational measure carried out at a strategic level for the healthcare system it operated as a whole. In addition, the DPA had comments on the risk and needs analysis outline that the healthcare committee gave to each health unit manager. Th
Related Enforcement Actions (0)
No other enforcement actions found for Hälso- och sjukvårdsnämnden, Region Västerbotten in SE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 December 2020
Authority
DPA Datainspektionen
Fine Amount
€220,000
2,500,000 SEK
GDPRhub ID
gdprhub-3044About this data
Cite as: Cookie Fines. Hälso- och sjukvårdsnämnden, Region Västerbotten - Sweden (2020). Retrieved from cookiefines.eu
Last updated: