A private clinic specializing in assisted reproductive technology (ART), experienced a significant data breach due to a cyberattack. The breach compromised the personal data of approximately 400 individuals, including patients and employees. The affected data included identity, contact information, financial details, and sensitive health and genetic information.

Even though the breach was detected on 21 December 2021, the affected individuals were not notified until 25 March 2022. The delay in notification and inadequate communication of the breach to all affected parties were critical issues identified during the investigation that ultimately led to the fine.

Breach of Data Protection Found by the Authority

The Spanish Data Protection Authority (AEPD) found several violations of the General Data Protection Regulation (GDPR) by the clinic. The AEPD determined that the clinic failed to implement appropriate technical and organizational measures (TOMs) to ensure the confidentiality of personal data, including health and genetic data. As a result, the clinic was fined 80,000 euros.

Additionally, the AEPD determined that the clinic did not fulfill its obligation to inform the affected individuals in a timely manner. The communication was not only delayed by three months but also incomplete, lacking necessary details such as the contact information for the Data Protection Officer and the potential consequences of the breach.

Key Takeaways

The processing of health data, including details about fertility and Assisted Reproductive Technology procedures, imposes an obligation on companies to implement secure systems and procedures to collect, use, and maintain personal data securely. This is especially crucial for companies that process health data, as data protection authorities expect them to implement stricter measures to protect individuals‘ privacy. These measures should reduce the risk of data breaches. However, if a breach occurs, swift action must be taken to contact individuals without undue delay.

If your company processes health data for research or to provide health care and needs advice on how to handle it adequately to prevent and/or address data breaches, contact FIRST PRIVACY Health and Medical.  Our team of data protection experts, specialized in the health and medical field will be happy to support you.