The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), acted against Barreiro Montijo Hospital, near Lisbon, for failing to restrict access to patient data stored in its patient management system.
Concerns at Barreiro Montijo Hospital were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.
CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patients’ health information, although only 296 physicians were employed at the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. Moreover, CNPD discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.
The hospital has been fined €400,000 for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.
More information on GDPR is available here.