Società Ospedale San Raffaele srl – €70,000 Fine (Italy, 2022)
Società Ospedale San Raffaele accidentally exposed patients' email addresses by using CC instead of BCC in newsletters. This mistake revealed sensitive health information, leading to a €70,000 fine. It's a reminder to handle patient data carefully to protect privacy.
What happened
Società Ospedale San Raffaele exposed patients' email addresses by using CC instead of BCC in newsletters.
Who was affected
Patients who received newsletters from the hospital's Neurology and Transplant units were affected.
What the authority found
The Italian DPA ruled that the hospital violated data protection rules by sharing personal and health data without a legal basis.
Why this matters
This case highlights the importance of securing patient data and ensuring proper email practices. Healthcare providers must be vigilant in protecting sensitive information to avoid breaches and fines.
GDPR Articles Cited
The controller is Società Ospedale San Raffaele srl (a hospital). The data subjects are the patients of the hospital. The controller notified the DPA of two data breaches. The email addresses of (1) 499 recipients of a newsletter from the Neurology Operative Unit and (2) 90 recipients of a newsletter from the Transplant and Metabolic-Bariatric Surgery unit in the CC instead of the BCC. This exposed the email addresses of all recipients to each other. The controller stated that because of the limited scope of the violation, there is no concrete risk for the rights and freedoms of the data subjects. It further argued 193 email addresses did not contain references to any names, so they were not personal data. The controller also stated that it happened due to a human error. The controller adopted new technical and organisational measures to ensure data security. This included additional training, possible disciplinary sanctions against the person responsible and/or their superior and the establishment of a working group supervised by the DPO to implement these measures. Regarding the controllers argument that the scope of the violations is limited, the DPA noted that (1) an email address in itself is personal data, even without references to names. Moreover, (2) it included health data (Article 4(15) GDPR) as the newsletters were send to patients of the respected medical facilities, thus revealing possible information about their health. The DPA noted that the processing of health data can have significant risks for the fundamental rights and freedoms of data subjects. There was no legal basis for the processing activities. The DPA therefore held that the controller violated Article 5(f) (principles of integrity and confidentiality) and Article 9 by communicating personal data, including health data to third parties without a legal basis. The DPA fined the controller € 70,000. When deciding the fine, the DPA took the unintentional nature of the breach, the addi
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Società Ospedale San Raffaele srl in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
28 April 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€70,000
GDPRhub ID
gdprhub-5024About this data
Cite as: Cookie Fines. Società Ospedale San Raffaele srl - Italy (2022). Retrieved from cookiefines.eu
Last updated: