L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T. – €3,500 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A local health authority in Italy accidentally gave a patient's medical report to the wrong person. This mistake led to a fine because it violated privacy rules about keeping health data secure. Health organizations should train staff properly to prevent such errors.
What happened
An employee at a local health authority mistakenly gave a medical report to the wrong patient.
Who was affected
The affected individual was a patient whose medical report was disclosed to another person.
What the authority found
The Italian data protection authority fined the health authority for not ensuring the confidentiality and security of health data, violating GDPR's integrity and confidentiality requirements.
Why this matters
This case underscores the need for healthcare providers to implement strict procedures and training to protect patient data. It serves as a reminder that human errors can lead to significant privacy breaches and legal consequences.
GDPR Articles Cited
This case was initiated by a data breach notification reported to the Italian DPA (Garante per la Protezione dei Dati Personali – Garante), by a controller, which in this case was the local health authority of Melegnano e della Martesana (L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T.). The data breach concerned the unauthorised disclosure of a medical report to a third party. The data breach did not involve the controller’s IT systems and infrastructures, and was instead due a mistake by an employee, which handed over the wrong physical paper copy of a medical report to another patient. The controller explained to the Garante that it only became aware of the violation following a communication by the lawyer of the person to whom the aforementioned medical documentation had been mistakenly given to. The controller stated that they had subsequently asked this person to destroy any digital and paper copies that may have been made of it, and to not disclose the contents of the report to any third parties. Additionally, the controller stated that it had notified the affected data subject that the data breach had occurred, and had also conducted an internal audit to determine the causes for the mistake, revising its internal procedures, and implementing further training courses focused on the correct management of documentation and health data. The Garante held that the mistake by the employee had led to disclosing a data subject’s health data to a third party without a valid legal basis, in violation of Article 9 GDPR. Additionally, it held that the employee’s negligence also constituted a violation of the principle of integrity and confidentiality under Article 5(1)(f) GDPR on behalf of the controller, since it is responsible for processing personal data in such a way as to ensure security through appropriate technical and organisational measures in order to prevent unauthorised or unlawful processing. However, the Garante acknowledged,
Related Enforcement Actions (0)
No other enforcement actions found for L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T. in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 February 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€3,500
GDPRhub ID
gdprhub-4786About this data
Cite as: Cookie Fines. L’Azienda socio sanitaria territoriale Melegnano e della Martesana - A.S.S.T. - Italy (2022). Retrieved from cookiefines.eu
Last updated: