The Barreiro Hospital in Portugal was fined 400,000 € by the Portuguese Data Protection Authority CNPD (Comissão Nacional de Proteção de Dados) for incompliancy with the EU General Data Protection Regulation (GDPR) by not separating access rights to patents’ clinical data.
The public sector hospital had granted access to patients’ clinical data via their system to at least nine persons who are non-medical professionals (social workers). In addition, the CNPD discovered that 985 users with an access role for medical doctors were registered, while there are only 296 physicians working at the hospital. Furthermore, patient data at Barreiro hospital was not separated properly from archived data of another hospital, and access authentication mechanisms were found to be insufficient.
The fines were imposed after the Authority had carried out an inspection at the hospital after having been alerted by the medical association. The CNPS held that the principles of integrity and confidentiality, data minimization in order to limit access to patients’ clinical data, and the controller’s inability to ensure the confidentiality and integrity of the data in their system (data security) were violated. The first two breaches were considered with 150,000 € each, while the third led to an increase by 100,000 €.
The hospital is questioning the CNPD’s authority for imposing such fines. It may still request a judicial review of the CNPS’s decision.