The Portuguese authority CNPD applied to the Centro Hospitalar Barreiro Montijo, a fine of 400.000 € for non-authorized access from the hospital employees to sensitive data regarding the hospital patients. A big flaw in the eyes of the GDPRs
The problem was in the informatics software, once the data was inserted into the system everyone with access to that system would have access to each case, being or not involved in the patient process and regardless of the role they had at the hospital.
The whole database of patients has exposed the employe just needed a username and a password provided by the organization.
The biggest problem with this flaw is the unlimited access to personal and private data. If someone got hacked or lost his password was exposing the patients’ data to anyone with those accesses.
For that reason, the Portuguese syndicate of doctors complained, and after an investigation from the General Inspection of Health Activities and the Syndicate of doctors the fine was applied.
Sources refer that the administration of the hospital was previously warned and did nothing in that regard.
Now the Hospital center is appealing the decision saying the fault was from the software itself and not a problem that they could fix.
It’s a platform called SClinico and was designed and developed by the Serviços Partilhados do Ministério da Saúde (SPMS).
There is not yet a response from the administration nor any measures to fix this problem which is exposing the patients’ data.