News

🚨 Health Data and Adequate Protection! 🚨

Source : PS 00540-2024

A Spanish health insurance provider fined €600,000 for a confidentiality breach.
The data of 3,395 employees on sick leave was mistakenly sent to 354 client companies.

💡 A simple IT bug can expose sensitive information and have major legal and financial consequences.

🔍 Compromised Data

• Personal data: Name, surname, age, social security number…
• Sensitive data: Type of sick leave (illness, accident), leave status, start and end date of absence, number of days off, employer, cost of medical benefits, occupation code, work or commuting accident status.

The error was due to a bug in the automatic notification system, which resulted in cumulative Excel files being attached to emails sent to client companies via the Ibermutua Digital platform.

⚠️ Identified Violations

The AEPD ruled that this data breach violated Article 5.1.f of the GDPR, related to data integrity and confidentiality. Ibermutua failed to ensure an adequate level of protection for personal data.

Aggravating factors:
• Large number of affected individuals (3,395 victims).
• Health data involved, classified as special categories requiring high protection (Article 9 of the GDPR).
• Lack of preventive measures: The incident revealed insufficient security controls and lack of testing before sending emails containing sensitive data.

⚖️ Sanctions and Obligations

The AEPD imposed an initial fine of €1,000,000, reduced to €600,000 after acknowledgment of responsibility and early payment by Ibermutua.

In addition to the fine, Ibermutua was required to implement corrective measures, including:
✅ Reviewing security procedures to prevent email-sending errors.
✅ Implementing a new secured system on AWS to manage access and document distribution.
✅ Strengthening audits and controls in data processing procedures.