UDINE. Illicit processing of personal data carried out through the information system for archiving and reporting the services provided by the structures. A security problem that is not tolerated, as “healthcare companies must implement all the technical and organizational measures necessary to prevent access to patient data by medical and nursing staff not involved in the treatment process”. This was reiterated by the Privacy Guarantor, who proceeded to sanction two Asl of Friuli Venezia Giulia: those of Udine and Pordenone.
The Authority also ordered the adoption of corrective measures to the IT company that manages the application for consulting the online reports.
The Guarantor was activated following numerous reports and complaints complaining of the unlawful processing of personal data carried out through the information system for archiving and reporting the services provided by the structures of the Friuli Venezia Giulia Health Service, already the subject of a previous provision. The checks carried out revealed various violations of the European Regulation.
Access to the health dossier took place through systems which, not having been correctly configured, allowed all those who served in the two ASLs (and in all those in the Region) to acquire information on any patient present or not present in the two health facilities.
In one of the cases examined, the Guarantor ascertained that the configuration of the dossier had made it possible for health personnel to also access the health file of colleagues without restrictions.
Not only that: the system allowed the health workers of a prison to access the health files of all ASL patients and not just those of prisoners. With the “Guidelines on the health dossier” of June 2015, the Guarantor instead established that “the data controller must pay particular attention to identifying the authorization profiles, adopting technical methods of authentication to the dossier that reflect the access cases specific to each structure “.
The Guarantor has also ascertained further offenses attributable to the company that manages the application for the management of the health dossier, including the failure to set up an alert system, aimed at identifying anomalous or risky behaviors relating to the operations performed by the subjects authorized for treatment (eg . number of accesses performed, type or time frame of the same).
The Authority, taking into account the collaboration offered during the investigations also to remedy the problems identified, imposed a fine of 70 thousand euros on the Udine health authority and 50 thousand euros in the Pordenone area.
It also granted 60 days to the IT company to implement corrective actions to the application capable of guaranteeing adequate security and integrity of personal data and preventing unauthorized access.