First substantial GDPR fine issued against a hospital in Portugal

On October 11, the National Commission for Data Protection in Portugal (CNPD) issued the Barreiro-Montijo Hospital a fine of 400,000 euros for three violations of the General Data Protection Regulation.

The CNPD detected the following three data protection violations:

  1. Violation of a minimization principle, by allowing indiscriminate access to an excessive number of users. 150,000 euro fine.
  2. Violation of integrity and confidentiality. 150,000 euro fine.
  3. The incapacity of the person in charge of data processing to guarantee the continued confidentiality, integrity, availability and resilience of treatment systems and services. 100,000 euro fine.

The country’s supervisory authority found 985 users with the profile ‘doctor’ registered with active accounts that gave access to clinical files, although the official HR records reported only 296 doctors in that hospital. Using a test account, CNPD experts managed to access a patient’s clinical data from the digital files of another hospital, located in the town of Carnaxide.

Furthermore, the following breaches were also detected:

  • The hospital did not have internal rules for the creation of accounts (which were opened by different service directors after sending emails).
  • The hospital did not have internal rules for the different levels of access to clinical information.
  • The authentication method did not take into account the identifying data that link the different professionals to the hospital center.

The Regulation defines personal data related to health as data “related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (article 4.15). The new aspect of this definition is that now information and data related to the provision of health care services which reveals information on the person’s health status is also included as health data.

Due to the importance that this type of data may have for the privacy of the person concerned, the GDPR grants greater protection to this type of data. This means that a series of additional conditions need to be met when processing this data.  It is subject to proactive responsibility, obligating those concerned to implement measures to ensure correct regulatory compliance.

In this particular case, there are two issues that, if prevented, the hospital could have avoided the 400,000 euro fine. The first is that they did not seek the consent of patients which, in accordance with rule 9 of the regulation, must be explicit.

Without consent, the legislation only allows data processing in a special category when certain special circumstances occur. (listed in Article 9(2) of the GDPR). These include:

  • Processing to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent
  • Processing relates to personal data which are manifestly made public by    the data subject
  • Processing for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional
  • Processing for archiving purposes in the public interest
  • Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices

None of the listed exceptions applied in this case, therefore, to comply with the GDPR, the hospital should have obtained explicit consent from the patients to process their data. The hospital managers should have implemented a protocol or procedure to obtain consent and store it in the patient file, thus allowing access only to the data of the patients who had registered their explicit consent.

Nowadays there are digital platforms on the market to manage this consent and levels of data access. By implementing one of these platforms, the hospital would have collected the required consent and managed the access to data according to the consent, and hereby avoided a good part of the penalty. That said, it was the responsibility of the Hospital’s Administration to take the appropriate measures to guarantee patient data security. Thus, the CNPD concluded that the Hospital was aware of the necessary technical and organizational measures and deliberately neglected them.

Article 83.2 of the Regulation stipulates that Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58. 2. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case, due regard shall be given to the intentional or negligent character of the infringement.

This factor highlights the irresponsibility of the managers when aware of the preventive measures and choosing not to apply them, especially given that, as I mentioned previously, there are solutions in the market to guarantee regulatory compliance.

An interesting reflection is that, although the penalty refers to data minimization, it does not focus on the management of the database as such, but on the access procedures. It does not broach issues of encryption, security or pseudonymization, instead, it focuses on procedures for the creation and definition of access, as well as ensuring compliance with procedures.

Finally, I would like to mention some of data management breaches detected. The lack of internal rules for the creation of accounts and for the management of the levels of access to information by hospital staff is, in my opinion, the greatest demonstration of lack of interest in protecting data that the law recognizes as requiring special protection. There are platforms designed to manage these different standards, from ISO to regulations such as the ones mentioned in this article. These platforms help with the implementation and automation of processes for regulatory compliance and can be completely customizable, allowing automation to be tailored to any organization which aspires the correct fulfillment of the GDPR or any other national or international quality standard.