Sjukhusstyrelsen i Region Uppsala – Violation Found (Sweden, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Hospital Board of the Region of Uppsala was found to have sent sensitive patient data through unencrypted emails. This could have exposed personal information, which is a serious issue for patient privacy. Although they received a warning, this case highlights the importance of secure communication in healthcare.
What happened
The Hospital Board sent at least 15 unencrypted emails containing sensitive patient data over a 12-year period.
Who was affected
Patients whose personal identity numbers and health data were included in the unencrypted emails.
What the authority found
The authority ruled that the Hospital Board failed to implement proper security measures for handling personal data, violating Article 32(1) GDPR.
Why this matters
This case shows that even healthcare providers must ensure strong data security practices. Other organizations should review their email practices to prevent similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Hospital Board of the Region of Uppsala (the controller) is responsible for providing health care at the Uppsala University Hospital and the Enköping Hospital. On 29 November 2022 the DPA received a report about a data breach regarding the controller’s processing of patients’ data. According to the report, personal data of patients (including their personal identity numbers and health data) were processed via insecure emails. The DPA started an ex officio investigation. The investigation found that the controller implemented an email encryption tool (on top of standard, in-transit encryption) in order to secure internal emails. The controller required all its staff to use the tool to encrypt any sensitive data sent via internal emails. However, the staff did not always follow this policy: at least 15 emails were sent unencrypted between 2010 and 2022. The DPA noted that this practice potentially exposed personal data in certain situations: for instance, if a staff member accidentally forwarded an email to an unintended recipient, the recipients would be able to read it. The risk of unintended disclosure was especially high because the controller did not monitor traffic to and from the email accounts of its staff. Additionally, DPA found that the controller used automated messaging system relating to identify number merging. These messages were unencrypted and contained personal data of patients. The DPA held that the controller failed to implement proper security measures, in violation of Article 32(1) GDPR. The DPA issues a warning against the controller but considered a fine to be unnecessary. In this regard, the DPA considered that the controller already took steps to address its lacking security before the decision. In particular, the controller: * carried out a risk and vulnerability analysis; * deleted the emails containing unencrypted sensitive data; * better instructed the staff about its data policy; * changed its automated messaging system; * impleme
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Sjukhusstyrelsen i Region Uppsala in SE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Sjukhusstyrelsen i Region Uppsala - Sweden (2025). Retrieved from cookiefines.eu
Last updated: