St. Olavs Hospital – €65,250 Fine (Norway, 2021)

A Norwegian hospital notified the DPA of three personal data breaches lasting between two and nine years. The breaches found their origin in deficient internal systems upgrades, poorly managed access controls, routines not being followed, and lack of data deletion. The concerned personal data included names, social security numbers, health metrics data, sensitive health data (including information on substance abuse, or health data relating to children), and passwords stored in clear text in an unprotected server. These breaches were discovered during an audit by the Norwegian Office of the Auditor General. A significant number of patients were affected (e.g. about 21,000 records containing sensitive health data in one breach alone). However, the hospital did not have a comprehensive log, making it impossible to fully determine the extent of each breach. The DPA fined the hospital €76,870 (NOK 750,000) for breaching the requirements of internal control, security and safety for the processing of personal data under Article 32 GDPR, Article 24, [https://gdprhub.eu/index.php?title=Article_5_GDPR#1f Article 5(1)(f)] and [https://gdprhub.eu/index.php?title=Article_5_GDPR#2 Article 5(2)], as well as § 26(1) of the [https://lovdata.no/dokument/NL/lov/2018-06-15-38/ Personal Data Act] and §§ 22 and 23 of the [https://lovdata.no/dokument/NL/lov/2014-06-20-42 Health Records Act] (pasientjournalloven) . The DPA also pointed out that the highest-level management position, on behalf of the hospital, is accountable for the (negligent) violation.