Company: Insufficient technical and organisational measures to ensure information security

The DPA of Hamburg has imposed a fine in the six-digit range on a Hamburg-based company operating in the healthcare sector. The company had failed to take appropriate technical and organizational measures to ensure a level of data security protection appropriate to the risk when sending doctors' letters. As a result, doctor's letters were to a person who, although practicing a medical profession, was not the doctor providing further treatment for the affected patients. Instead, the letters were intended for a general practitioner with the same name as the recipient. The company had been informed of the incorrect mailing several times in the past by the unauthorized recipient. Nevertheless, it had failed to take organizational and technical measures to ensure that these incidents would not recur. In assessing the fine, the DPA took into aggravating account the fact that the data processed involved health data and that such data is particularly sensitive.

GDPR Articles: Art. 32 (1) GDPR
Industry: Health Care