Moss municipality (kommune) – €43,500 Fine (Norway, 2021)

The two municipalities Rygge and Moss merged in January 2020. In the process of merging their IT systems for health records, several errors occurred: * Incorrect registration of vaccines. Some people were registered as having received vaccines, when they in reality had not, and others were incorrectly registered as not having been given a vaccine, when they in fact had. * Errors in health records for pregnant women, including error in the number of weeks into the pregnancy and related to information about the mother’s use of drugs/alcohol/nicotine. * Patient health data was made accessible to unauthorized healthcare personnel and it was not possible to trace any unauthorized access (in Norway a patient has the opportunity and right to view who has accessed their medical information). * Errors relating to daily operations (administration), such as appointment books. 28,000 people were transferred during the merger of the IT systems and about 2,000 could potentially have been affected by errors. However, no one were actually affected and the errors were rectified and are under control. Moss municipality notified the DPA themselves about the personal data security breaches. The DPA found, in the end, that the municipality had breached § 22 of the Norwegian Health Records Act (pasientjournalloven) and Article 32(1)(b) and (d) GDPR (cf. Article 5 GDPR). The DPA fined Moss municipality NOK 500,000 (€47,700) for insufficient technical and organisational measures to ensure a sufficient level of security when merging the IT systems. The DPA commented that the breaches were very serious and that the municipality should have conducted a data protection impact assessment (DPIA), as well as more testing before making the changes.