Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.

 

A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.

 

Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.

 

The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.

 

Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 

 

The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 

 

What should have the Healthcare Committee done in order to avoid the breach?

 

-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

data protection officer GDPR data breach notification

GDPR Data Breach Notification WP29 Guidelines

GDPR data breach notification obligation requires the adoption of appropriate technical and organisational measures in order to ensure the safeguarding of personal data during processing. Since the assessment of the risk degree is not always unequivocal, the Article 29 Data Protection Working Party (WP29) has recently adopted GDPR data breach Guidelines.

data protection officer GDPR data breach notification

When unauthorised or unlawful processing and accidental loss, destruction or damage of personal data occurs, personal data controllers may be under an obligation to notify the supervisory authority and data subjects after an appropriate risk assessment. GDPR data breach Guidelines assist the controllers and the processors to comply with their obligations under Articles 33 and 34 of the GDPR on a potential security breach of personal data.

Data processor’s obligation

Although the responsibility of the personal data protection belongs to the controller, the data processor must ensure the compliance of the former with the notification requirements. Hence, if a processor becomes aware of a breach of personal data that it has been processing on the controller’s behalf, it is bound to notify the controller ‘without undue delay’.

Notification of the personal data breach to supervisory authority

In the event of a security breach likely to result in a risk to the rights and freedoms of individuals, the data controller is obliged to notify the leading supervisory authority in order to receive guidance.

The time frame for notification is no later than 72 hours from the time the controller obtained a reasonable degree of certainty that a breach compromising personal data has taken place. If the controller does not possess all relevant information, it may proceed with notification in phases parallel to its investigation.

Nonetheless, when the breach is unlikely to result in risks to the rights and freedoms of natural persons, the controller is not under an obligation to notify. For instance, if an encrypted CD containing a back up of an archive with personal data is stolen, the notification requirement is unlikely to apply.

Communication of the personal data breach to data subjects

The assessment of risk is decisive for the requirement of communication to the data subjects. If the breach is likely to lead to high risk to the rights and freedoms of individuals, such as discrimination, financial damage, identity theft, fraud and humiliation, the notification of the relevant individuals must be triggered. The severity of the potential impact should be estimated on a case by case basis taking into consideration the type of breach, the nature, sensitivity and volume of personal data, the ease of identification of individuals and the special characteristics of the individual and the data controller.

The communication should be characterised by clarity and transparency through dedicated messages best circulated via several contact channels e.g. email, advertisement in printed media, communication by post, or prominent website banners.

Failure to notify data subject or supervisory authority

If controllers do not comply with their obligations to notify either the supervisory authority or data subjects or both of a data breach, corrective measures including appropriate administrative fines may apply. The supervisory authority is entitled to impose administrative fine up to 10,000,000 EUR or up to 2 % of the total worldwide annual turnover of an undertaking pursuant to Article 83(4)(a) of the GDPR.

Suggested response plan

What to do next? With the help of your Data Protection Officer, a response plan comprising the following areas should be prepared:

  • A person or group of persons should be responsible for receiving all information about security incidents in order to later establish potential breach and assess the risk.
  • Risk assessment regarding the rights and freedoms of individuals should take place and according to the findings of likelihood of no risk, risk or high risk, it should be communicated to the appropriate sections of the organisation.
  • If the likelihood of risk is established, the controller must notify the supervisory authority and, if the risk is high, communicate the breach to the individuals involved.
  • Simultaneously, the controller should take the relevant measures to restrict and recover the breach.

Do you require assistance preparing for GDPR and manage your data protection obligations after it becomes applicable? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.