Private healthcare provider: Insufficient technical and organisational measures to ensure information security

The Czech DPA (UOOU) conducted an investigation against the operator of a non-governmental medical facility following a security breach. The operator offers a range of diagnostic tests to patients. The results of the tests are subsequently communicated on its website to both patients and physicians who recommended the tests. The reported security breach involved an attack on the operator's website by an unknown individual. Following this incident, the operator stopped operating the website in question and proposed technical measures to increase security. However, the DPA still found that other websites operated by the same operator had the same shortcomings. Yet, the operator did not restrict their operation nor did it take any new technical measures. As a consequence, the UOOU imposed a fine of EUR 387.

GDPR Articles: Art. 24 GDPR, Art. 32 (1) GDPR
Industry: Health Care