Healthcare companies must take all the necessary technical and organisational measures to prevent patient data from being communicated by mistake to other recipients.
This was reiterated by the Garante per la privacy when sanctioning a Veneto health authority for a personal data breach (data breach), which involved 39,852 patients, under the age of 6 and over the age of 65, with an income of less than EUR 36,151.98.
The patients had received in their mailboxes a certificate containing personal data (name, surname, place and date of birth, tax code, exemption code) of another patient.
The verifications carried out by the Authority – following the receipt of some complaints and the notification of data breach by the Asl – revealed that the violation had been caused by a technical problem of data misalignment in the database containing the patients’ personal data.
The penalty, amounting to EUR 10,000, was calculated taking into account that the healthcare company immediately demonstrated a high degree of cooperation with the Garante and that the incident was isolated and not voluntary.
The company has also planned further measures to minimise any future errors, in particular by activating an online portal through which it will be possible to directly download exemption certificates in digital format.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9899946