GDPR Fine of EUR 400,000 to Portuguese Hospital
Significant GDPR fine imposed for IT access infringements
October 2018 | Omada
Significant GDPR Fine of EUR 400,000 to Portuguese Hospital
The first large fine within Europe has been imposed for violating the EU General Data Protection Regulation (GDPR) in Portugal. Due to irregular access to patient data, the Portuguese hospital has been fined a total sum of EUR 400,000 for two GDPR infringements.
The Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) announced Monday October 22, 2018 that Centro Hospitalar Barreiro Montijo (CHBM) is fined for two violations of the GDPR, according to the media Público.
The hospital has been fined for non-compliant access to privacy data, as too many people had access to patient information, an infringement which has imposed a fine of EUR 300,000.
Secondly, the hospital has been unable to document that they can "ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services" which led to a fine of another 100,000 Euros. The hospital now wants to take legal action against the decision.
IT Audit Reveals Unrestricted Access to Patient Data
An audit by the Data Commission stated that the hospital operator "deliberately" ensured, that users with "technical" profiles in the IT systems could access data that should only be accessible to doctors. A test determined that a technical profile within the framework could be created with unlimited access.
In addition, a total of 985 active users with a "doctor" profile were registered in the system, although in 2018 only 296 doctors had been assigned to the hospital. The hospital has attempted to explain the discrepancy with temporary profiles in the framework of a service contract.
Access Control a Minimum Requirement for Today’s Organizations
The ability to properly control access to privacy data is a minimum requirement for organizations to operate, in public as well as private organizations. Not only are large financial penalties at stake as in this case, but there is also the risk of reputational damage.
To comply with GDPR organizations must have processes in place to manage and monitor access compliance. By implementing an Identity Governance and Administration (IGA) system it is possible to ensure continuous compliance with GDPR when it comes to user and access management. IGA solves essential GDPR challenges related to access control and transparency, and enables organizations to improve security and compliance, but also manage users’ access rights efficiently.
Identity and Access Management allows organizations to control users’ access to IT systems and determine and document when and why access was granted. Having this technology in place means you as an organization will be able to prove to the authorities that your organization can control and govern your user identities, thereby protecting sensitive data and complying with GDPR.