Administrative fine of PLN 10,000 for disclosing patient’s data
The Polish DPA imposed an administrative fine on the University Clinical Center of the Medical University of Warsaw. The reason for the decision was the failure to notify a personal data breach to the DPA and failure to communicate the personal data breach to the data subject.
The Polish DPA has received information from the Commissioner for Patients' Rights about a possible personal data breach at the University Clinical Center of the Medical University of Warsaw. One of the patients received a referral from a doctor to a specialty care clinic containing personal information about another person in the following scope: first name, last name, address of residence, personal identification number (PESEL number), and information about health status (information about the diagnosis and purpose of the advice). In the course of the proceedings, the controller confirmed that there was a mistaken entry on the referral to the specialty care clinic of the personal data of another patient, but after analysis, it considered that the personal data of a person who did not actually exist appeared on the referral. Although the controller classified the incident as a security incident, it concluded that the incident did not have significant consequences for the rights and freedoms of the data subject. Therefore, the controller decided not to notify the personal data breach to the supervisory authority, as well as failed to communicate the personal data breach to the data subject.
Clerical error or other data
Meanwhile, in the opinion of the DPA, as a result of an error by the doctor issuing a referral to a specialty care clinic, a personal data breach occurred, involving disclosure of personal data to an unauthorized person (another patient of the controller). In addition, according to the DPA, the document issued by the doctor contained only a mistake in the patient's name, while the rest of the data contained in the aforementioned referral, i.e. name, address of residence and personal identification number (PESEL number), were the patient's data. Hence, it cannot be considered that the incident concerned a non-existent person. Despite the error in this person's name, he or she can be easily identified.
High risk to rights or freedoms
Notifying personal data breaches by the controllers is an effective tool for contributing to real improvements in the security of personal data processing. When notifying a personal data breach to the DPA, the controllers inform the authority whether, in their assessment, there is a high risk to the rights or freedoms of data subjects and, if such a risk has occurred, whether they have provided relevant information to the individuals affected by the breach. The DPA, in turn, verifies the assessment made by the controller.
In the case at hand, it is undeniable that personal data provided to an unauthorized person, in addition to so-called regular data, includes special categories of personal data, i.e. health data on the diagnosis and purpose of medical advice. Their wide scope entails a high risk to the rights or freedoms of individuals. In addition, it should be pointed out that disclosure to an unauthorized recipient of another person's personal data, due to the fact that the controller’s doctor gave him or her a referral to a specialty care clinic with inappropriate data, also constitutes a violation of medical confidentiality.
In the opinion of the DPA, the controller knowingly failed to notify the personal data breach to the supervisory authority and to the data subject, despite becoming aware of the incident from the Commissioner for Patients' Rights and in spite of letters addressed to him by the DPA, indicating the possibility of a high risk to the rights or freedoms of the data subject affected in the present case.