GDPR Fine of EUR 400,000 to Portuguese Hospital

GDPR Fine of EUR 400,000 to Portuguese Hospital

Significant GDPR fine imposed for IT access infringements 

 

October 2018 | Omada

Significant GDPR Fine of EUR 400,000 to Portuguese Hospital

The first large fine within Europe has been imposed for violating the EU General Data Protection Regulation (GDPR) in Portugal. Due to irregular access to patient data, the Portuguese hospital has been fined a total sum of EUR 400,000 for two GDPR infringements.

The Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) announced Monday October 22, 2018 that Centro Hospitalar Barreiro Montijo (CHBM) is fined for two violations of the GDPR, according to the media Público.

The hospital has been fined for non-compliant access to privacy data, as too many people had access to patient information, an infringement which has imposed a fine of EUR 300,000.

Secondly, the hospital has been unable to document that they can "ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services" which led to a fine of another 100,000 Euros. The hospital now wants to take legal action against the decision.

IT Audit Reveals Unrestricted Access to Patient Data

An audit by the Data Commission stated that the hospital operator "deliberately" ensured, that users with "technical" profiles in the IT systems could access data that should only be accessible to doctors. A test determined that a technical profile within the framework could be created with unlimited access.

In addition, a total of 985 active users with a "doctor" profile were registered in the system, although in 2018 only 296 doctors had been assigned to the hospital. The hospital has attempted to explain the discrepancy with temporary profiles in the framework of a service contract.

Access Control a Minimum Requirement for Today’s Organizations

The ability to properly control access to privacy data is a minimum requirement for organizations to operate, in public as well as private organizations. Not only are large financial penalties at stake as in this case, but there is also the risk of reputational damage.

To comply with GDPR organizations must have processes in place to manage and monitor access compliance. By implementing an Identity Governance and Administration (IGA) system it is possible to ensure continuous compliance with GDPR when it comes to user and access management. IGA solves essential GDPR challenges related to access control and transparency, and enables organizations to improve security and compliance, but also manage users’ access rights efficiently.

Identity and Access Management  allows organizations to control users’ access to IT systems and determine and document when and why access was granted. Having this technology in place means you as an organization will be able to prove to the authorities that your organization can control and govern your user identities, thereby protecting sensitive data and complying with GDPR.

Eight General Misunderstandings about the EU GDPR

In our dialogue with various organizations, we experience a great deal of misunderstandings in terms of what actions to take and how to initiate them. Therefore, we have gathered the most common misunderstandings about the new regulation here:

Read more

Is your Data Covered by the EU General Data Protection Regulation?

The core of the EU GDPR is the concept of “personally identifiable data.” This should be interpreted very broadly as “data, which can identify a specific person.”                                                                                                                                                                   

Read more

Eight Steps to Ensure that Your Data Protection Measures are in Place

Organizations that have not done so already, have to start thinking in very pragmatic terms about what impact the GDPR will have on employees, processes, and technologies, and which measures to take to diminish business risk and get compliant in time.

Read more

Blog: New EU Regulations put your Business at Risk

The  EU GDPR creates an asymmetric risk, in which the risk that the supplier is asked to cover, most often far exceeds the value of the commercial agreement.                                                                                                                                                                                                          

Read more

By using or further navigating this website, you agree to Omada's use of cookies. Click here to see our cookie policy.

Read Privacy Policy
Close