News
๐ฎ๐น Confidentiality: a doctor sends a file with his patients' data by email
๐จ A doctor forgets the fundamental rules of the GDPR! ๐จ๐ฎ๐น
๐ง Sending a patient list by email, a costly mistake!
To justify a work schedule change, a doctor sent an email attachment containing personal data of 13 patients, including their names, birth dates, phone numbers, treatment locations, services provided, and even payment details… All without a legal basis or data security! โ๐
โ๏ธ €5,000 fine for the health authority
The South Tyrol Health Authority ๐ฎ๐น, responsible for processing, was fined by the DPA for GDPR violations. Sensitive health data was illegally shared with multiple companies and external services. โ
๐ Violations identified:
๐น Violation of GDPR Articles 5(1)(c) and (f), 9, and 32: No legal basis for processing health data and lack of security.
๐น Failure to apply the principle of data minimization: The doctor could have transmitted the information without exposing sensitive patient data.
๐น Lack of appropriate technical and organizational measures: No clear directives on health data protection.
๐น Disclosure to multiple recipients without adequate safeguards: Some recipients were bound by medical confidentiality.
๐จ Key takeaways:
โ๏ธ Never send sensitive data via unprotected email.
โ๏ธ Ensure every processing activity has a legal basis.
โ๏ธ Apply the principle of data minimization: only share what is necessary.
โ๏ธ Implement security measures and staff training.
โ ๏ธ Health data is highly sensitive!
A simple email can lead to heavy sanctions and a serious breach of patient confidentiality.