Medicals Nordic – €80,400 Fine (Denmark, 2021)

In January 2021, the Danish DPA discovered that Medicals Nordic used WhatsApp to transmit "confidential information and health information" about citizens tested in the company's test centres. The DPA initiated an own-volition inquiry to assess whether Medicals Nordic had implemented appropriate organisational and technical security measures to safeguard the transmission of citizens' information. It found that employees at the company used their private phones to communicate confidential patient information to the central administration in charge of the four test centres it operated. It did so via WhatsApp group chats, to which all employees at these centres were added. As such, even employees who did not have a work-related need to process information about patients could access it. It included, among other things, the social security number and health data of citizens. Further, ex-employees who no longer worked at the company were not removed from the group chat due to "inadequate access management", meaning they still had access to this data. The Danish DPA held that "confidential information and health information about a large number of citizens has been processed unsafely and passed on to unauthorized persons, including employees who did not have a work-related need to receive the information [and ex-employees]". It emphasised that in several cases the violations were intentional as Medicals Nordic did not carry out necessary data-related risk assessments. Thus, it fined the company DDK 600,000 or approximately €80,500.