News
🇮🇹 Confidentiality: a doctor sends a file with his patients' data by email
🚨 A doctor forgets the fundamental rules of the GDPR! 🚨🇮🇹
📧 Sending a patient list by email, a costly mistake!
To justify a work schedule change, a doctor sent an email attachment containing personal data of 13 patients, including their names, birth dates, phone numbers, treatment locations, services provided, and even payment details… All without a legal basis or data security! ❌🔐
⚖️ €5,000 fine for the health authority
The South Tyrol Health Authority 🇮🇹, responsible for processing, was fined by the DPA for GDPR violations. Sensitive health data was illegally shared with multiple companies and external services. ❌
📌 Violations identified:
🔹 Violation of GDPR Articles 5(1)(c) and (f), 9, and 32: No legal basis for processing health data and lack of security.
🔹 Failure to apply the principle of data minimization: The doctor could have transmitted the information without exposing sensitive patient data.
🔹 Lack of appropriate technical and organizational measures: No clear directives on health data protection.
🔹 Disclosure to multiple recipients without adequate safeguards: Some recipients were bound by medical confidentiality.
🚨 Key takeaways:
✔️ Never send sensitive data via unprotected email.
✔️ Ensure every processing activity has a legal basis.
✔️ Apply the principle of data minimization: only share what is necessary.
✔️ Implement security measures and staff training.
⚠️ Health data is highly sensitive!
A simple email can lead to heavy sanctions and a serious breach of patient confidentiality.