In October 2018, Comissão Nacional de Protecção de Dados, Portugal’s GDPR supervisory authority, fined a hospital (Centro Hospitalar Barreiro Montijo) 400,000 euros for 3 GDPR (General Data Protection Regulation) violations. The violations stem from the hospital’s alleged improper data access controls, failure to apply basic technical and organizational safeguards to prevent access to personal data, and failure to test the safeguards that ensure the security of data processing. The hospital is contesting the decision.
Violations, Fines, & Reasoning
First violation/fine: 150,000 euros for allowing indiscriminate access to data to an excessive number of users in violation of GDPR regulations Article 5(1)(c) (“data minimisation”) and Article 83(5)(a). The prohibited conduct is:
- “Doctor” user accounts, regardless of specialty, had access to all hospital client data, and
- “Technician” user accounts (9 specifically) were able to access the clinical process of hospital patients.
Second violation/fine: 150,000 euros for failure to apply “technical and organizational measures to prevent unlawful access to personal data” in violation of GDPR regulations Article 5(1)(f) (“integrity and confidentiality”) and Article 83(5)(a). The prohibited conduct is:
- The hospital had no document defining the rules for creating users of the hospital’s information system.
- The hospital had no document “containing the correspondence between the functional competences of the users and the profiles for access to the information (including to clinical information).”
- Only 18 user accounts were deactivated by, the last of which was deactivated in November 2016. Particularly, the hospital maintained many profiles for doctors who had no recent activity. In fact, there were 985 “Doctor” profiles, but only 296 profiles registered any activity in the past 10 months. The hospital justified the idle profiles as “temporary profiles” of doctors contracted under a service regime.
Third violation/fine: 100,000 euros for the hospital’s inability to ensure the confidentiality, integrity, availability and permanent resilience of processing systems and services at an appropriate level, in violation of GDPR regulations Article 32(1)(b). There was also a finding that the hospital failed to implement measures to ensure a sufficient level of security to the risk.
Lessons to be learned for GDPR Compliance:
- For larger providers, do not give doctors access to all data; there must be divisions by specialty.
- Do not provide technical staff access to clinical data.
- Ensure procedures are in place so that account types only have access to what they need.
- Deactivate user accounts when the user is no longer employed or will not need access for an extended period of time.
- International Association of Privacy Professionals, Inc.: “First GDPR fine in Portugal issued against hospital for three violations“
- PÚBLICO Comunicação Social SA: “Hospital do Barreiro contests in court a fine of 400 thousand euros of Data Commission“