Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
Three health structures have been sanctioned by the Italian Data Protection Authority: they have communicated health information to the wrong persons.

Three health structures have been sanctioned by the Italian Data Protection Authority: they have communicated health information to the wrong persons.

Health structures need to adopt all the technical and organizational measures necessary in order to avoid that their personal data of their patients are accidentally communicated to other persons. This has been remembered by the Italian Data Protection Authority that has sanctioned two hospitals and an ASL due to errors caused not by hacker attacks, but due to inadequate procedures and simple human errors. 

A Tuscany hospital has received a sanction of 10.000 euros because it has sent, by email, to the wrong patient, a medical report including health information and the information about the sexual life of another couple. 

Also an hospital in Emilia-Romagna has received a sanction of 10.000 euros because it has sent to patients clinical records including data and medical records of other patients, in one case one of them was a minor. In both cases, sanctions have been calculated by keeping in mind that the health structures have immediately demonstrated an high level of cooperation with the Italian Data Protection Authority and that the episodes have been isolated and not involuntary. 

The two structures have also planned additional technical and organizational measures in order to reduce the human error. 

A third case is referring to an ASL of Emilia-Romagna, where a patient has explicitly asked – by subscribing a specific form, – that anybody, even not its relatives, have been informed on her health status. The form was inserted into the clinical record. A nurse in her dep, did not know the request of the woman, and so she has contacted her not on her private telephone but on the home number registered on the corporate registry, and so she have talked with a relative. 

Also in this case, the Company has understood its errors that have caused the data breach. It therefore undertook to implement a computerised system for managing the telephone numbers of hospitalised patients, and to prepare a single form with which patients will be able to express their wish to communicate information on their state of health to third parties, introducing a specific company policy. The ASL, which also suffered a claim for damages from the patient, will have to pay a fine of 50.000 euros for breaching the GDPR.

In the light of these episodes and others still being assessed, the Italian Data Protection Authority recalled that information on health status can be communicated to third parties only on the basis of a legal requirement or on the indication of the person concerned, subject to prior written authorisation. And he called on all healthcare providers to fully comply with the principles of fairness and transparency, by adopting technical and organisational measures useful not only to protect themselves against cyber attacks, but also to avoid personal data breaches – especially the most sensitive ones, such as health data – that are all too often caused by inadequate management procedures.

SOURCE: FEDERPRIVACY

Recommended to you

Advanced Research