Garante per la protezione dei dati personali (Italy) - 9990640

Garante per la protezione dei dati personali - 9990640
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 9 GDPR Article 28 GDPR Article 32(1)(d) GDPR Article 32(1)(b) GDPR Article 58(2)(i) GDPR Article 83(4) GDPR Article 83(5)(a) GDPR
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:	24.01.2024
Published:	24.01.2024
Fine:	8000 EUR
Parties:	Bambino Gesù Pediatric Hospital Dedalus Italia S.p.A.
National Case Number/Name:	9990640
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (Italy) (in IT)
Initial Contributor:	Maria Boulieri

Bambino Gesù Pediatric Hospital reported a data breach due to Dedalus software errors, affecting 24 reports of patients, involving health related data. The breach revealed inadequate security measures and the Authority fined Dedalus €8,000.

English Summary

Facts

Bambino Gesù Pediatric Hospital in Rome reported a data breach involving its "Charter of Health" portal. On a specified day, a patient mistakenly accessed another patient's report due to a software error. The issue stemmed from the Dedalus Dnlab software provided by Dedalus Italia S.p.A., which sent incorrect patient identifiers in HL7 messages. This caused reports to be wrongly associated with patients in the hospital's integrated systems. The breach affected 24 reports.

The hospital promptly notified authorities and took corrective actions, including requesting Dedalus to implement non-regression testing to prevent future occurrences. They also communicated with affected patients and provided additional support.

Dedalus contended that it was not contractually required to perform regular vulnerability assessments and argued that the error was accidental and limited in scope. They claimed the breach was due to an isolated incident and requested either the closure of the case or a lesser penalty.

Holding

The findings underscored that Dedalus, despite its arguments about the limitations of its contractual obligations, did not adequately address the security needs or conduct necessary periodic checks and failed to implement appropriate technical and organizational security measures as required by GDPR. As a result, the breach lasted for four days and involved a manageable number of patients with no substantial evidence of damage or misuse. In response, the Authority imposed a fine of €8,000 for non-compliance with GDPR standards.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 9990640]

Provision of 24 January 2024

Register of measures
n. 39 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing "Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;         

PREMISE

1. The preliminary investigation activity.

With notes from the 20th and 20th centuries, the Bambino Gesù Pediatric Hospital, located in Rome, (hereinafter the Pediatric Hospital) notified the Authority, pursuant to art. 33 of the Regulation, a violation of personal data which occurred between XX and XX, declaring that they had received, on XX, at 1.56 pm, a report with which a patient declared to have had access (via the dedicated portal " Carta della Salute” https://cartadellasalute.editorebambinogesu.it) to the report of another patient (…), as well as having directly detected, at 9.34 am on the same day, an anomaly, “promptly reported to the supplier” Dedalus Italia S.p.a., tax code 05994810488, with headquarters in Florence, Via di Collodi n. 6/C – postal code 50141 - PEC: dedalus@legalmail.it (hereinafter the Company) - "formally identified as Data Processor by the Hospital (...)". In the aforementioned communications, the Children's Hospital also added that "(...) on day XX at 12.01 a further report was received by the Hospital from an interested party, which indicated the right to access a report from another patient. Subsequent analysis revealed a further error, a consequence of the bug already identified and corrected previously, relating to a small number of users." 

In describing the violation, the Children's Hospital pointed out that this "consisted in the sending, by the system of the supplier Dedalus Italia S.p.A., to the Hospital's data management system (Mirth middleware) of HL7 laboratory messages containing a segment of information showing a patient identifier different from the content of the message (report). The subsequent propagation of these messages generated an incorrect association between report and patient in the other integrated applications. The effect of the aforementioned anomaly is the association of a report, intact and coherent as a whole, with the wrong patient. The object of the malfunction is the integration component of the Dedalus Dnlab software, from the supplier Dedalus Italia S.p.A. (…).  As a result of the detailed analytical control relating to the individuals concerned and the reports relating to them, the number of reports involved which constitute a violation of personal data, putting the rights and freedoms of natural persons at risk, is equal to 24 (reports) ”.

In addition to describing the systems, software, services and IT infrastructures involved in the violation, with an indication of their location, highlighting that the onset of the bug and its elimination involved the systems provided by the Company, responsible for the processing, the Children's Hospital illustrated the technical and organizational measures in place at the time of the violation, as well as those adopted to remedy the violation and reduce the negative effects for those affected.

In order to prevent similar violations in the future, the aforementioned Children's Hospital, data controller, has, among other things, requested "the supplier to include an explicit "non-regression" test for future evolutions of the software, in order to prevent the identified IT error cases (...) from recurring in the future".

In relation to what was represented, the Office, with note dated XX (prot. n. XX), requested further information and clarifications, pursuant to art. 157 of the Code, to the data controller who, with note dated XX (prot. n. XX), provided feedback, declaring, among other things, that:

- "(...) no further reports were detected after the date of the twentieth that could generate a risk for the rights and freedoms of natural persons";

- “The measures adopted to remedy the violation of personal data and also to mitigate its possible negative effects, have concretely prevented the possibility of events similar to the one in question from occurring, since neither the recurrence of the previously resolved bug was highlighted, nor of a similar new vulnerability in the system. Furthermore, the actions definitively implemented by the Hospital have made it possible to standardize even more detailed analysis methods, also used for the periodic testing and "sample" analysis phases, in order to verify the coherence of the systems and the production of reports over time. In any case, it is noted that the notification was made to the system supplier, that the same made the necessary corrections and the checks carried out, both in the test and production environments, confirmed that similar episodes can no longer occur";

- "(...) The event that occurred, in light of what has been illustrated, determined effects (...) for a limited time period, i.e. in the period between the 20th and the 20th";

-  “(…) n. 6 people (so-called «Viewed») suffered a loss of confidentiality, as one or more of their reports were exposed to unauthorized people; n. 6 people (so-called «Viewers») had access to the reports of other interested parties in an erroneous way, generating a loss of confidentiality; n. 8 people had a problem of probable unavailability (one of them was also part of the "Viewers" group), the requested report was not available, therefore they recorded a malfunction and difficulty in using the service";

- "in order to fully comply with the provisions of Article 34 of the GDPR, the Hospital has prepared and communicated the violation to the interested parties by post without unjustified delay, sending two types of communications by XX" and "(...) has arranged, as a further measure, to contact the Viewers by telephone in the aforementioned cancellation activity, through a multidisciplinary team established to provide support, where required, also from an IT point of view to the interested parties";

- "(...) no further reports have been received from interested parties to date".

The data controller has also attached the documents appointing the Company as data controller, relating to the service contracts stipulated with the latter.

In light of the above, with note dated XX (prot. n. XX), the Office requested information, pursuant to art. 157 of the Code, to the Company, responsible for the processing, which, with note dated XX, responded to the Authority declaring, among other things:

“As for “the detailed description of the bug”, it concerned the DNLAB solution (“DNLAB”), provided by the Company to the Bambin Gesù Pediatric Hospital (“OPBG”), and consisted in sending to the data management system of the OPBG itself, i.e. the Mirth middleware, of HL7 laboratory messages containing a segment of information showing a different patient identifier compared to the content of the message, i.e. the analysis report. The subsequent propagation of these messages generated an incorrect association between report and patient in the other integrated applications. The problem was linked to an error in the custom code of the integration, which occurred due to an overlap of the incremental counters of the "Seqreferti" and "Seqrequest" tables. The graph in Fig. 1 shows the historical trend of these two values, the overlap of which occurred on June 9th.

The Company then illustrated, also through some graphs ("Historical trend of the assignment of values to the "Seqreferti" and "Seqrichiesta" sequences; Comparison of the "Seqreferti" and "Seqrichiesta" values between the hours of 8:04:23 and 8:06:53 am on 9 June last) the technical aspects of the dynamics of the determination of the bug, as well as declared that "with regard to DNLAB the implementation of periodic vulnerability assessment tests was not and is not contractually envisaged". Nor, beyond the absence of a contractual obligation in this sense, would the Company have been able to independently carry out these vulnerability assessment activities, since DNLAB resides entirely on OPBG's production environment".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

On the basis of the above, this Office - with deed dated XX (prot. XX) which must be understood as reproduced here - has notified the Company, as data controller, of violation pursuant to art. 166, paragraph 5, of the Code as it was noted that no. 24 reports were subject to a system malfunction - in terms of loss of confidentiality and unavailability - due to a bug that occurred in the DNLAB solution ("DNLAB") provided by the Company - responsible for the processing - to the pediatric hospital which resulted in a processing of personal data carried out in violation of the art. 5, par. 1, letter. f), 9 and 32 of the Regulation.

With a note sent dated XX, the Company sent its defense briefs in which it highlighted, among other things, that:

"in relation to the charges raised in the Notification against the Company, consisting in the alleged failure by the Company to implement security measures, we refer to what was specified by the Company itself in its previous note dated 15 May 2005, namely that: with regard at DNLAB the carrying out of periodic vulnerability assessment tests was not and is not contractually envisaged between the Company and OPBG; (...) beyond the absence of a contractual obligation in this sense, the Company would not have been able to independently carry out these vulnerability assessment activities, since DNLAB resides entirely on OPBG's production environment. These arguments, (...) demonstrate how no infringement of the obligations under art. 32 of the Regulation and therefore of the principle referred to in art. 5, par. 1, letter. f) of the Regulation itself is attributable to the Company, which found itself unable not only legally, but also and above all materially, to independently implement vulnerability assessment activities on the System aimed at preventing and/or mitigating the risk of Data Breach. These measures were legally and materially implementable by OPBG alone, so that the Company cannot be accused of omissive conduct relating to the alleged failure to implement security measures, which do not fall within the scope of responsibility and control of the Company itself. Given the above, it is believed that the Company has not violated the provisions of the Regulation";

“The Data Breach resulted from an accidental event, the severity of which was limited in light of the interventions carried out by OPBG and – to the extent of its competence – by the Company. It had a limited duration in time and, as for the number of interested parties involved, the same, equal to a few units, is extremely limited compared to the number of patients managed by OPBG. The alleged violation is, where appropriate and at most, negligent in nature, as it derives from an accidental event";

“(…) Since the detection of the Data Breach, Dedalus has provided the widest cooperation to remedy the event itself and mitigate its possible negative effects (…) Following the communication of the Data Breach by OPBG, Dedalus has activated all measures relating to its scope of competence and in particular, following the isolation of the bug identified on the System, it promptly proceeded to analyze it and remove it as early as XX. These actions are also suitable to avoid the recurrence of similar incidents in the future";

“There are no specific corrective measures already adopted by this esteemed Authority with reference to the specific violation complained of”;

“(…) as a result (…) of the (data breach), due to fortuitous, unfortunate and completely episodic circumstances, the Company neither achieved benefits nor avoided losses as a result of it”.
Lastly, the Company requested that the proceeding in question be closed or, alternatively, that a less rigorous sanction be applied, such as a warning, in place of the financial penalty.

3. Outcome of the preliminary investigation

Having taken note of what is represented in the documentation in the documents, it is noted that:

- "data relating to health" means "personal data relating to the physical or mental health of a natural person, including the provision of healthcare, which reveal information relating to his or her state of health" (art. 4, par. 1 , n. 15 of the Regulation). Personal data relating to health deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51);

- pursuant to art. 28 of the Regulation, the owner can also entrust processing to third parties who present sufficient guarantees on the implementation of technical and organizational measures suitable to guarantee that the processing complies with the regulations on the protection of personal data ("data controllers" ). In this matter, it appears from the documents that the pediatric hospital, data controller, makes use of the services offered by the Company as data controller;

- the legislation on the protection of personal data establishes that the same data must be "processed in a way that guarantees adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage (principle of “integrity and confidentiality”)” (art. 5, par. 1, letter f) of the Regulation);

- the owner and, with him, also the data controller, are called upon to implement "adequate technical and organizational measures to guarantee a level of security adequate to the risk" taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 par. 1 of the Regulation);

- in particular, the data controller and data processor implement technical and organizational measures that include, among others, where appropriate, (...) the ability to ensure confidentiality, integrity, availability and resilience on a permanent basis of processing systems and services (and) (…) a procedure to regularly test, verify and evaluate the effectiveness (…) (of such measures) in order to guarantee the safety of the processing” (art. 32, par. 1 , letters b) and d));

- as regards specifically the health sector, it is highlighted that the regulations on the protection of personal data provide that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself following written delegation from the latter (art. 9 Regulation);

- the bug operating in the "Dnlab" solution provided by the company Dedalus S.p.a., responsible for the processing, resulting in the sending, to the data management system of the owner, of HL7 laboratory messages containing a segment of information showing a patient identifier different from the content of the report, led to the accessibility of the reports of n. 6 patients to other unauthorized patients and the unavailability of their own reports to n. 8 patients;

- with reference to the defense argument for which the functionality of the aforementioned "Dnlab" solution provided by the Company to the pediatric hospital, "resides entirely on the OPBG production environment", it is noted that precisely in consideration of the interconnected function of this program with the Hospital's data management system (Mirth middleware), the Company itself, in light of the security obligations, mentioned above, also burdening the data controller, as well as the technical competence of the latter - due to the which the Children's Hospital has intended to use pursuant to art. 28 of the Regulation - should have foreseen, taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons ” (art. 32 par. 1 of the Regulation) adequate security measures and their implementation including the related periodic checks of such measures, art. 32 per. 1, letter. b) and d) of the Regulation to ensure the confidentiality, integrity, availability and resilience of the systems on a permanent basis. In this sense, the art. 28 of the Regulation establishes that the act regulating the relationship between the owner and the manager provides that the manager adopts all the measures required pursuant to the art. 32 of the same Regulation (see Act of appointment of data controller, between the Children's Hospital and the Company, of XX, protocol XX, par. 3 – Requirements for the Data Controller”, letters d) and f));  

- furthermore, it is considered that the episode occurred between the 20th and 20th centuries and, therefore, in a limited time span; no complaints or reports have been submitted to the Authority and, from what was declared by the owner, no "further consequences for the interested parties have emerged and the illegitimately viewed data has not been used for other purposes or disseminated, nor does there appear to be evidence of repercussions consistent with a physical, material or immaterial damage to the interested parties"; no malicious behavior emerges in relation to the matter; the manager acted promptly to mitigate the effects of the violation and to resolve the problem.  

4. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the Company during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the deed to be overcome to start the procedure, as, moreover, none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the Company, as data controller, with reference to the "integration component of the Dedalus Dnlab software" provided to the Children's Hospital - from which the bug originated - does not provide adequate security measures and the implementation of the same , including the related periodic checks, has processed personal data:

- in a manner that does not comply with the principle of "integrity and confidentiality" in violation of the art. 5, par. 1, letter. f), of the Regulation;

- failing to implement technical and organizational measures suitable to guarantee a level of security adequate to the risk, capable of guaranteeing the ability to ensure the confidentiality, integrity, availability and resilience of security systems and services on a permanent basis processing, as well as a procedure to regularly test, verify and evaluate the effectiveness of such measures in order to guarantee the security of the processing (art. 32, par. 1, letters b) and d));

- determining a communication of data relating to the health of n. 6 patients to six third parties not authorized to receive them, in the absence of a suitable legal basis and, therefore, in violation of the art. 9 of the Regulation.

In this framework, considering that measures have been adopted aimed at overcoming the vulnerability described above and that the recipients of the reports subject to the violation have been asked to destroy these reports, the conditions for the adoption of the corrective measures referred to in art. 'art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. f), 9 and 32 of the Regulation, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Taking into account that the violation of the above-mentioned rules took place as a consequence of a single conduct, the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the failure to comply with the art. 9 of the Regulation, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros or, for companies, up to 4% of the total annual worldwide turnover of the previous financial year, if higher.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1, of the Regulation in light of the elements provided for in the art. 83, par. 2, of the Regulation.

In light of the above, in order to evaluate the seriousness of the violation (art. 83, par. 2, letter a), b), g)), account is taken, in particular, of the category of personal data processed (relating to health), the duration of the violation (4 days), the number of interested parties (n. 6 with reference to the communication of data and n. 8 with reference to the loss of availability of personal data), the absence of intent, the absence of complaints regarding any damage suffered by the interested parties; in light of this, it is believed that the level of severity of the violation committed by the Company is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

They are also considered pursuant to art. 83, par. 2, of the Regulation that the Authority became aware of the event following the notification of violation by the Children's Hospital (art. 83, par. 2, letter h), of the Regulation) and that the person responsible suffered a previous proceeding concerning a relevant violation (see provision of 23 March 2023, n. 86, web doc. n. 9883731)(art. 83, par. 2, letter e) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a), of the Regulation, in the amount of 8,000.00 (eight thousand) euros for the violation of the articles. 5, par. 1, letter. f), 9 and 32 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by Dedalus Italia S.p.a., tax code 05994810488, with headquarters in Florence, Via di Collodi n. 6/C, for the violation of articles. 5, par. 1, letter. f), 9 and 32 of the Regulation within the terms set out in the justification

ORDER

pursuant to the articles 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, to Dedalus Italia S.p.a, to pay the sum of 8,000.00 (eight thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to Dedalus Italia S.p.a, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000.00 (eight thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 January 2024

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei

[doc. web no. 9990640]

Provision of 24 January 2024

Register of measures
n. 39 of 24 January 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stazione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members, and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE, “General Data Protection Regulation” (hereinafter “Regulation”);

HAVING REGARD TO Legislative Decree 30 June 2003, n. 196, containing "Code regarding the protection of personal data, containing provisions for the adaptation of the national law to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regarding the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46/EC (hereinafter “Code”);

GIVEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved with resolution of the Guarantor no. 98 of 4/4/2019, published in the Official Gazette. n. 106 of 8/5/2019 and in www.gpdp.it, doc. web no. 9107633 (hereinafter “Guarantor Regulation no. 1/2019”);

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor Regulation n. 1/2000 on the organization and functioning of the office of the Guarantor for the protection of personal data, in www.gpdp.it, doc. web no. 1098801;

SPEAKER Dr. Agostino Ghiglia;         

PREMISE

1. The preliminary investigation activity.

With notes from the 20th and 20th centuries, the Bambino Gesù Pediatric Hospital, located in Rome, (hereinafter the Pediatric Hospital) notified the Authority, pursuant to art. 33 of the Regulation, a violation of personal data which occurred between XX and XX, declaring that they had received, on XX, at 1.56 pm, a report with which a patient declared to have had access (via the dedicated portal " Carta della Salute” https://cartadellasalute.editorebambinogesu.it) to the report of another patient (…), as well as having directly detected, at 9.34 am on the same day, an anomaly, “promptly reported to the supplier” Dedalus Italia S.p.a., tax code 05994810488, with headquarters in Florence, Via di Collodi n. 6/C – postal code 50141 - PEC: dedalus@legalmail.it (hereinafter the Company) - "formally identified as Data Processor by the Hospital (...)". In the aforementioned communications, the Children's Hospital also added that "(...) on day XX at 12.01 a further report was received by the Hospital from an interested party, which indicated the right to access a report from another patient. Subsequent analysis revealed a further error, a consequence of the bug already identified and corrected previously, relating to a small number of users." 

In describing the violation, the Children's Hospital pointed out that this "consisted in the sending, by the system of the supplier Dedalus Italia S.p.A., to the Hospital's data management system (Mirth middleware) of HL7 laboratory messages containing a segment of information showing a patient identifier different from the content of the message (report). The subsequent propagation of these messages generated an incorrect association between report and patient in the other integrated applications. The effect of the aforementioned anomaly is the association of a report, intact and coherent as a whole, with the wrong patient. The object of the malfunction is the integration component of the Dedalus Dnlab software, from the supplier Dedalus Italia S.p.A. (…).  As a result of the detailed analytical control relating to the individuals concerned and the reports relating to them, the number of reports involved which constitute a violation of personal data, putting the rights and freedoms of natural persons at risk, is equal to 24 (reports) ”.

In addition to describing the systems, software, services and IT infrastructures involved in the violation, with an indication of their location, highlighting that the onset of the bug and its elimination involved the systems provided by the Company, responsible for the processing, the Children's Hospital illustrated the technical and organizational measures in place at the time of the violation, as well as those adopted to remedy the violation and reduce the negative effects for those affected.

In order to prevent similar violations in the future, the aforementioned Children's Hospital, data controller, has, among other things, requested "the supplier to include an explicit "non-regression" test for future evolutions of the software, in order to prevent the identified IT error cases (...) from recurring in the future".

In relation to what was represented, the Office, with note dated XX (prot. n. XX), requested further information and clarifications, pursuant to art. 157 of the Code, to the data controller who, with note dated XX (prot. n. XX), provided feedback, declaring, among other things, that:

- "(...) no further reports were detected after the date of the twentieth that could generate a risk for the rights and freedoms of natural persons";

- “The measures adopted to remedy the violation of personal data and also to mitigate its possible negative effects, have concretely prevented the possibility of events similar to the one in question from occurring, since neither the recurrence of the previously resolved bug was highlighted, nor of a similar new vulnerability in the system. Furthermore, the actions definitively implemented by the Hospital have made it possible to standardize even more detailed analysis methods, also used for the periodic testing and "sample" analysis phases, in order to verify the coherence of the systems and the production of reports over time. In any case, it is noted that the notification was made to the system supplier, that the same made the necessary corrections and the checks carried out, both in the test and production environments, confirmed that similar episodes can no longer occur";

- "(...) The event that occurred, in light of what has been illustrated, determined effects (...) for a limited time period, i.e. in the period between the 20th and the 20th";

-  “(…) n. 6 people (so-called «Viewed») suffered a loss of confidentiality, as one or more of their reports were exposed to unauthorized people; n. 6 people (so-called «Viewers») had access to the reports of other interested parties in an erroneous way, generating a loss of confidentiality; n. 8 people had a problem of probable unavailability (one of them was also part of the "Viewers" group), the requested report was not available, therefore they recorded a malfunction and difficulty in using the service";

- "in order to fully comply with the provisions of Article 34 of the GDPR, the Hospital has prepared and communicated the violation by post to the interested parties without unjustified delay, sending two types of communications within the XX" and "(...) has arranged, as a further measure, to contact the Viewers by telephone in the aforementioned cancellation activity, through a multidisciplinary team established to provide support, where required, also from an IT point of view to the interested parties";

- “(…) no further reports have been received from interested parties to date”.

The data controller has also attached the documents appointing the Company as data controller, relating to the service contracts stipulated with the latter.

In light of the above, with note dated XX (prot. n. XX), the Office requested information, pursuant to art. 157 of the Code, to the Company, responsible for the processing, which, with note dated XX, responded to the Authority declaring, among other things:

“As for “the detailed description of the bug”, it concerned the DNLAB solution (“DNLAB”), provided by the Company to the Bambin Gesù Pediatric Hospital (“OPBG”), and consisted in sending to the data management system of the OPBG itself, i.e. the Mirth middleware, of HL7 laboratory messages containing a segment of information showing a different patient identifier compared to the content of the message, i.e. the analysis report. The subsequent propagation of these messages generated an incorrect association between report and patient in the other integrated applications. The problem was linked to an error in the custom code of the integration, which occurred due to an overlap of the incremental counters of the "Seqreferti" and "Seqrequest" tables. The graph in Fig. 1 shows the historical trend of these two values, the overlap of which occurred on June 9th.

The Company then illustrated, also through some graphs ("Historical trend of the assignment of values to the "Seqreferti" and "Seqrichiesta" sequences; Comparison of the "Seqreferti" and "Seqrichiesta" values between the hours of 8:04:23 and 8:06:53 am on 9 June last) the technical aspects of the dynamics of the determination of the bug, as well as declared that "with regard to DNLAB the implementation of periodic vulnerability assessment tests was not and is not contractually envisaged". Nor, beyond the absence of a contractual obligation in this sense, would the Company have been able to independently carry out these vulnerability assessment activities, since DNLAB resides entirely on OPBG's production environment".

2. Department assessments on the processing carried out and notification of the violation referred to in the art. 166, paragraph 5, of the Code

On the basis of the above, this Office - with deed dated XX (prot. XX) which must be understood as reproduced here - has notified the Company, as data controller, of violation pursuant to art. 166, paragraph 5, of the Code as it was noted that no. 24 reports were subject to a system malfunction - in terms of loss of confidentiality and unavailability - due to a bug that occurred in the DNLAB solution ("DNLAB") provided by the Company - responsible for the processing - to the pediatric hospital which resulted in a processing of personal data carried out in violation of the art. 5, par. 1, letter. f), 9 and 32 of the Regulation.

With a note sent dated XX, the Company sent its defense briefs in which it highlighted, among other things, that:

"in relation to the charges raised in the Notification against the Company, consisting in the alleged failure by the Company to implement security measures, we refer to what was specified by the Company itself in its previous note dated 15 May 2005, namely that: with regard at DNLAB the carrying out of periodic vulnerability assessment tests was not and is not contractually envisaged between the Company and OPBG; (...) beyond the absence of a contractual obligation in this sense, the Company would not have been able to independently carry out these vulnerability assessment activities, since DNLAB resides entirely on OPBG's production environment. These arguments, (...) demonstrate how no infringement of the obligations under art. 32 of the Regulation and therefore of the principle referred to in art. 5, par. 1, letter. f) of the Regulation itself is attributable to the Company, which found itself unable not only legally, but also and above all materially, to independently implement vulnerability assessment activities on the System aimed at preventing and/or mitigating the risk of Data Breach. These measures were legally and materially implementable by OPBG alone, so that the Company cannot be accused of omissive conduct relating to the alleged failure to implement security measures, which do not fall within the scope of responsibility and control of the Company itself. Given the above, it is believed that the Company has not violated the provisions of the Regulation";

“The Data Breach resulted from an accidental event, the severity of which was limited in light of the interventions carried out by OPBG and – to the extent of its competence – by the Company. It had a limited duration in time and, as for the number of interested parties involved, the same, equal to a few units, is extremely limited compared to the number of patients managed by OPBG. The alleged violation is, where appropriate and at most, negligent in nature, as it derives from an accidental event";

“(…) Since the detection of the Data Breach, Dedalus has provided the widest cooperation to remedy the event itself and mitigate its possible negative effects (…) Following the communication of the Data Breach by OPBG, Dedalus has activated all measures relating to its scope of competence and in particular, following the isolation of the bug identified on the System, it promptly proceeded to analyze it and remove it as early as XX. These actions are also suitable for avoiding the recurrence of similar incidents in the future";

“There are no specific corrective measures already adopted by this esteemed Authority with reference to the specific violation complained of”;

“(…) as a result (…) of the (data breach), due to fortuitous, unfortunate and completely episodic circumstances, the Company neither achieved benefits nor avoided losses in response to it”.
Lastly, the Company requested that the proceeding in question be dismissed or, alternatively, that a less rigorous sanction be applied, such as a warning, in place of the financial penalty.

3. Outcome of the preliminary investigation

Having taken note of what is represented in the documentation in the documents, it is noted that:

- "data relating to health" means "personal data relating to the physical or mental health of a natural person, including the provision of healthcare, which reveal information relating to his or her state of health" (art. 4, par. 1 , n. 15 of the Regulation). Personal data relating to health deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (Cons. n. 51);

- pursuant to art. 28 of the Regulation, the owner can also entrust processing to third parties who present sufficient guarantees on the implementation of technical and organizational measures suitable to guarantee that the processing complies with the regulations on the protection of personal data ("data controllers" ). In this matter, it appears from the documents that the pediatric hospital, data controller, makes use of the services offered by the Company as data controller;

- the legislation on the protection of personal data establishes that the same data must be "processed in a way that guarantees adequate security (...), including protection, through adequate technical and organizational measures, from unauthorized or illicit processing and from accidental loss, destruction or damage (principle of “integrity and confidentiality”)” (art. 5, par. 1, letter f) of the Regulation);

- the owner and, with him, also the data controller, are called upon to implement "adequate technical and organizational measures to guarantee a level of security adequate to the risk" taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (art. 32 par. 1 of the Regulation);

- in particular, the data controller and data processor implement technical and organizational measures that include, among others, where appropriate, (...) the ability to ensure confidentiality, integrity, availability and resilience on a permanent basis of processing systems and services (and) (…) a procedure to regularly test, verify and evaluate the effectiveness (…) (of such measures) in order to guarantee the safety of the processing” (art. 32, par. 1 , letters b) and d));

- as regards specifically the health sector, it is highlighted that the regulations on the protection of personal data provide that information on the state of health can be communicated only to the interested party and can be communicated to third parties only on the basis of a suitable legal basis or upon indication of the interested party himself following written delegation from the latter (art. 9 Regulation);

- the bug operating in the "Dnlab" solution provided by the company Dedalus S.p.a., responsible for the processing, resulting in the sending, to the data management system of the owner, of HL7 laboratory messages containing a segment of information showing a patient identifier different from the content of the report, led to the accessibility of the reports of n. 6 patients to other unauthorized patients and the unavailability of their own reports to no. 8 patients;

- with reference to the defense argument for which the functionality of the aforementioned "Dnlab" solution provided by the Company to the pediatric hospital, "resides entirely on the OPBG production environment", it is noted that precisely in consideration of the interconnected function of this program with the Hospital's data management system (Mirth middleware), the Company itself, in light of the security obligations, mentioned above, also burdening the data controller, as well as the technical competence of the latter - due to the which the Children's Hospital has intended to use pursuant to art. 28 of the Regulation - should have foreseen, taking into account, among other things, "the nature, object, context and purposes of the processing, as well as the risk of varying probability and severity for the rights and freedoms of natural persons ” (art. 32 par. 1 of the Regulation) adequate security measures and their implementation including the related periodic checks of such measures, art. 32 per. 1, letter. b) and d) of the Regulation to ensure the confidentiality, integrity, availability and resilience of the systems on a permanent basis. In this sense, the art. 28 of the Regulation establishes that the act regulating the relationship between the owner and the manager provides that the manager adopts all the measures required pursuant to the art. 32 of the same Regulation (see Act of appointment of data controller, between the Children's Hospital and the Company, of XX, protocol XX, par. 3 – Requirements for the Data Controller”, letters d) and f));  

- furthermore, it is considered that the episode occurred between the 20th and 20th centuries and, therefore, in a limited time span; no complaints or reports were submitted to the Authority and, from what was declared by the owner, no "further consequences for the interested parties emerged and the illegitimately viewed data were not used for other purposes or disseminated, nor does there appear to be evidence of repercussions consisting in a physical, material or immaterial damage to the interested parties"; no malicious behavior emerges in relation to the matter; the manager acted promptly to mitigate the effects of the violation and to resolve the problem.  

4. Conclusions.

In light of the assessments mentioned above, taking into account the declarations made by the Company during the investigation ˗ and considering that, unless the fact constitutes a more serious crime, anyone who, in proceedings before the Guarantor, falsely declares or certifies information or circumstances or produces false deeds or documents, he is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the execution of the tasks or exercise of the powers of the Guarantor" ˗ the elements provided by the data controller in the defense briefs do not allow the findings notified by the Office with the deed to be overcome to start the procedure, since none of the cases provided for by the art. 11 of the Guarantor Regulation n. 1/2019.

For these reasons, the Company, as data controller, with reference to the "integration component of the Dedalus Dnlab software" provided to the Children's Hospital - from which the bug originated - does not provide adequate security measures and the implementation of the same , including the related periodic checks, has processed personal data:

- in a manner that does not comply with the principle of "integrity and confidentiality" in violation of the art. 5, par. 1, letter. f), of the Regulation;

- failing to implement technical and organizational measures suitable to guarantee a level of security adequate to the risk, capable of guaranteeing the ability to ensure the confidentiality, integrity, availability and resilience of security systems and services on a permanent basis processing, as well as a procedure to regularly test, verify and evaluate the effectiveness of such measures in order to guarantee the security of the processing (art. 32, par. 1, letters b) and d));

- determining a communication of data relating to the health of n. 6 patients to six third parties not authorized to receive them, in the absence of a suitable legal basis and, therefore, in violation of the art. 9 of the Regulation.

In this context, considering that measures have been adopted aimed at overcoming the vulnerability described above and that the recipients of the reports subject to the violation have been asked to destroy these reports, the conditions for the adoption of the corrective measures referred to in art. 'art. 58, par. 2, of the Regulation.

5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).

The violation of the articles. 5, par. 1, letter. f), 9 and 32 of the Regulation, is subject to the application of the pecuniary administrative sanction pursuant to art. 83, par. 4 and 5 of the Regulation.

Taking into account that the violation of the aforementioned rules took place as a consequence of a single conduct, the art. applies. 83, par. 3 of the Regulation, pursuant to which the total amount of the administrative fine does not exceed the amount specified for the most serious violation. Considering that, in this case, the most serious violation concerns the failure to comply with the art. 9 of the Regulation, subject to the administrative sanction provided for by 83, par. 5 of the Regulation, the total amount of the fine is to be quantified up to 20,000,000 euros or, for companies, up to 4% of the total annual worldwide turnover of the previous financial year, if higher.

Consider that the Guarantor, pursuant to articles. 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, has the power to "impose a pecuniary administrative sanction pursuant to article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each single case" and, in this framework, "the Board [of the Guarantor] adopts the injunction order, with which it also provides for the application of the additional administrative sanction of its publication, in full or in extract, on the website of the Guarantor pursuant to article 166, paragraph 7, of the Code” (art. 16, paragraph 1, of the Guarantor Regulation no. 1/2019).

The aforementioned pecuniary administrative sanction imposed, depending on the circumstances of each individual case, must be determined in the amount taking into account the principles of effectiveness, proportionality and dissuasiveness, indicated in the art. 83, par. 1, of the Regulation in light of the elements provided for in art. 83, par. 2, of the Regulation.

In light of the above, in order to evaluate the seriousness of the violation (art. 83, par. 2, letter a), b), g)), account is taken, in particular, of the category of personal data processed (relating to health), the duration of the violation (4 days), the number of interested parties (n. 6 with reference to the communication of data and n. 8 with reference to the loss of availability of personal data), the absence of intent, the absence of complaints regarding any damage suffered by the interested parties; in light of this, it is believed that the level of severity of the violation committed by the Company is medium (see European Data Protection Committee, “Guidelines 04/2022 on the calculation of administrative fines under the GDPR” of 23 May 2023, point 60).

They are also considered pursuant to art. 83, par. 2, of the Regulation that the Authority became aware of the event following the notification of violation by the Children's Hospital (art. 83, par. 2, letter h), of the Regulation) and that the person responsible suffered a previous proceeding concerning a relevant violation (see provision of 23 March 2023, n. 86, web doc. n. 9883731)(art. 83, par. 2, letter e) of the Regulation).

Based on the aforementioned elements, evaluated as a whole, it is considered necessary to determine the amount of the pecuniary sanction provided for by the art. 83, par. 5, letter. a), of the Regulation, in the amount of 8,000.00 (eight thousand) euros for the violation of the articles. 5, par. 1, letter. f), 9 and 32 of the Regulation, as a pecuniary administrative sanction deemed, pursuant to art. 83, par. 1 of the Regulation, effective, proportionate and dissuasive.

It is also believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7, of the Code and art. 16 of the Guarantor Regulation n. 1/2019, also in consideration of the type of personal data subject to unlawful processing.

Finally, it is noted that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

declares the unlawfulness of the processing of personal data carried out by Dedalus Italia S.p.a., tax code 05994810488, with headquarters in Florence, Via di Collodi n. 6/C, for the violation of articles. 5, par. 1, letter. f), 9 and 32 of the Regulation within the terms set out in the justification

ORDER

pursuant to the articles 58, par. 2, letter. i), and 83 of the Regulation, as well as art. 166 of the Code, to Dedalus Italia S.p.a, to pay the sum of 8,000.00 (eight thousand) euros as a pecuniary administrative sanction for the violations indicated in this provision; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the fine imposed.

ORDERS

to Dedalus Italia S.p.a, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 8,000.00 (eight thousand) euros according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the art. 27 of law no. 689/1981.

HAS

pursuant to art. 166, paragraph 7, of the Code, the publication in full of this provision on the Guarantor's website and the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, letter. u), of the Regulation, of violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, of the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, it is possible to appeal against this provision before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the appellant resides abroad.

Rome, 24 January 2024

PRESIDENT
Stantion

THE SPEAKER
Ghiglia

THE GENERAL SECRETARY
Mattei