Italy: Garante fines polyclinic €20,000 for disclosing medical online reports
The Italian data protection authority ('Garante') announced, on 26 October 2020, that it had published, in its monthly newsletter, a decision fining the polyclinic 'Università Campus Bio-medico di Roma' €20,000 for violating Articles 5(2)(a) and (f) and 9 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as well as Article 75 of the Personal Data Protection Code. In particular, the Garante outlined that the polyclinic notified them of a data breach as per Article 33 of the GDPR in relation to the system through which medical online reports can be accessed. More specifically, the Garante found that 39 patients had been able to, while accessing their medical online reports through smartphone, also access a list of other 74 patients, containing their reports and a list of medical exams. In addition, the Garante highlighted that the polyclinic explained that the cause of the breach was a human mistake in the integration of two IT systems.