Norway: Datatilsynet fines Østfold Hospital NOK 750,000 for failure to adequately secure patient data
The Norwegian data protection authority ('Datatilsynet') announced, on 27 October 2020, that it has fined Østfold HF Hospital NOK 750,000 (approx. €69,000) for storing health data an extended period of time without implementing sufficient measures to secure such data. In particular, Datatilsynet noted that there had been a breach involving sensitive patient information which falls under special categories of personal data and that patients ready for discharge from the hospital were affected. Furthermore, the Datatilsynet reported that the hospital had failed to have access control mechanisms in the area where reports and patient files were being kept and found that the Østfold Hospital had not established a system to prevent future breaches and that it had failed to ensure that internal control procedures were being observed with respect to employees' access to files, storage and deletion from the server. Therefore, Datatilsynet imposed the fine and ordered the hospital to monitor compliance with internal procedures for securing data, particularly when sensitive personal data is involved.
UPDATE (25 November 2020)
EDPB publishes Datatilsynet's press release in English
At Datatilsynet's request, the European Data Protection Board ('EDPB') published, on 25 November 2020, Datatilsynet's press release in English.
You can read the EDPB publication here.