The Portuguese authority CNPD fined the Centro Hospitalar Barreiro Montijo 400.000€. Authorities applied this fine after discovering that employees had unauthorized access to sensitive data regarding patients. This was a significant offense that doesn’t align with the GDPR norms.
The problem was in the informatics software. Once the data was in the system, every employee with access would see patients’ processes, regardless of the role they had at the hospital. For that, employees just needed a username and a password provided by the organization.
The biggest problem with this flaw is the unlimited access to personal and private data. In case employees were hacked or lost passwords, he/she was exposing the patients’ data to anyone got hold of those accesses.
For that reason, the Portuguese syndicate of doctors complained. After an investigation from the General Inspection of Health Activities and the Syndicate of doctors, the Hospital was fined.
Sources say that the administration of the Hospital already knew about the data breach but did nothing in that regard.
Now the Hospital is appealing the decision claiming it was the software’s fault and not a problem that they could fix. It’s a platform called SClinico. It was designed and developed by the Serviços Partilhados do Ministério da Saúde (SPMS).
There isn’t yet a response from the administration nor any measures to fix this problem.