Support Centre

Italy: Garante fines Emilia-Romagna authority €50,000 for health information security failure

The Italian data protection authority ('Garante') announced, on 19 February 2021, its decision to fine the local health authority of Emilia-Romagna €50,000 for not undertaking adequate measures for ensuring the security of personal data. In particular, further to its investigation, the Garante found that, in spite of an explicit request by a patient that no third party and family member acquire information about their health, hospital staff accidentally contacted a family member and made them aware of the patient's health data, which had constituted a data breach in respect of health data. Further to this, the Garante considered that the hospital had not implemented adequate measures for managing records and telephone numbers of patients and had therefore violated Articles 5(1)(a), (d), and (f), 9 and 32(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

You can read the newsletter here and the decision here, both only available in Italian.