Healthcare Data Breach – Polish company fined for ignoring the order to notify patients
Over 85,000 PLN fine from the Personal Data Protection Office (UODO) was received by an entrepreneur who did not comply with the order issued in the administrative decision of the authority. This is the first sanction of this kind imposed by the Polish office.
The punished company provides medical services. As there were violations in the protection of personal data, UODO ordered to notify patients about them. The entrepreneur did not do it, as evidenced by the procedure aimed at checking whether the obligations imposed in the authority’s decision had been fulfilled.
In the notification, patients should be provided with a description of the nature of the breach and its possible consequences, information about the actions taken by the company, and the measures it proposes to address potential threats. In addition, details of the data protection officer or another contact point from which more information could be obtained had to be provided.
The company reportedly ignored the authority’s decision, and patients were unaware that a violation had occurred. According to the information from UODO, the entrepreneur has received instructions on the formulation of notifications, the form of their submission, and the method of documenting these activities. However, even during the sanctioning procedure, the company did not provide evidence to show that the order’s obligation had been complied with.
When determining the fine amount, UODO took into account two factors burdening the company. First, it drew attention to the long duration of the infringements, which increased the risk of negative consequences for patients. Secondly, it pointed to the deliberate nature of the irregularities in protecting personal data and the unsatisfactory level of cooperation with the supervisory body to remove them, as the entrepreneur did not comply with the office’s recommendations during the proceedings.