Region Nordjylland – Violation Found (Denmark, 2021)

A security flaw in a health care IT system used by a Danish region had made it possible to access other individuals' personal data and to delete their bookings. After logging in to their own account, users were able to access personal data related to other users by changing a number in the URL of the website. From may 2018 and until april 2021, users could take advantage of this security flaw, and thus access all correspondence between health care personnel and their patients, including personal data such as names, social security numbers, cell phone numbers, addresses and health data. 498 599 patients were registered in the system in April 2021. The region reported the personal data breach to the Danish DPA, and stated that there were no signs that the personal data has been accessed without authorisation or otherwise misused. The DPA held that the controller acted in violation of the security requirements of article 32 GDPR. The controller had entered into a technical development contract with the developer of the IT system without including sufficient obligations related to testing. The contract framework included an obligation to perform user tests, however it did not contain clear obligations to perform security tests. The DPA therefore reprimanded the controller for not implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.