Datatilsynet (Denmark) - Medicals Nordic

From GDPRhub
Datatilsynet (Denmark) - Medicals Nordic
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 83(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 09.07.2021
Published: 09.07.2021
Fine: 600,000 DKK
Parties: Medicals Nordic
National Case Number/Name: Medicals Nordic
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Frederick Antonovics

The Danish DPA fined Medicals Nordic approximately €80,500 for the unlawful processing of a large number of citizens' health information. The COVID-19 test provider used WhatsApp groups at all its test centres, granting all of its employees unrestricted access to confidential information about citizens.

English Summary[edit | edit source]

Facts[edit | edit source]

In January 2021, the Danish DPA discovered that Medicals Nordic used WhatsApp to transmit "confidential information and health information" about citizens tested in the company's test centres. The DPA initiated an own-volition inquiry to assess whether Medicals Nordic had implemented appropriate organisational and technical security measures to safeguard the transmission of citizens' information.

It found that employees at the company used their private phones to communicate confidential patient information to the central administration in charge of the four test centres it operated. It did so via WhatsApp group chats, to which all employees at these centres were added.

As such, even employees who did not have a work-related need to process information about patients could access it. It included, among other things, the social security number and health data of citizens. Further, ex-employees who no longer worked at the company were not removed from the group chat due to "inadequate access management", meaning they still had access to this data.

Holding[edit | edit source]

The Danish DPA held that "confidential information and health information about a large number of citizens has been processed unsafely and passed on to unauthorized persons, including employees who did not have a work-related need to receive the information [and ex-employees]".

It emphasised that in several cases the violations were intentional as Medicals Nordic did not carry out necessary data-related risk assessments.

Thus, it fined the company DDK 600,000 or approximately €80,500.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



Medicals Nordic I / S set a fine
Date: 09-07-2021
News

The Danish Data Protection Agency assesses that a quick test provider had not implemented appropriate security measures when processing confidential information and health information in connection with COVID-19 tests.





The Danish Data Protection Agency has reported Charlottenlund Lægehus Medicals Nordic I / S (“Medicals Nordic”) to the police for having processed confidential information and health information about citizens in connection with COVID-19 tests, without the company having established the necessary security regarding the processing of the information. The Danish Data Protection Agency has recommended a fine of DKK 600,000.
"We take the matter very seriously because it concerns sensitive information. When you are entrusted with processing citizens' health information, there is a responsibility to take good care of it, and this has not been done in this case." , explains Allan Frank, lawyer and IT security specialist at the Danish Data Protection Agency.
In January 2021, the Danish Data Protection Agency became aware that Medicals Nordic used the WhatsApp application to transmit confidential information and health information about citizens that was tested in the company's test centers.
On that basis, the Danish Data Protection Agency initiated a case of its own operation, which i.a. should clarify whether Medicals Nordic had implemented appropriate organizational and technical security measures in connection with the transmission of citizens' information.
In this connection, the Danish Data Protection Agency found that Medicals Nordic had not established appropriate security measures in a number of cases.
Inadequate safety precautions
Employees at Medicals Nordic used their private phones to transmit confidential information about citizens to the company's central administration through the WhatsApp application. In this connection, Medicals Nordic had set up a WhatsApp group for each of the four test centers that the company operated.
All employees who worked in a test center were invited to the WhatsApp group that belonged to the test center. The members of the WhatsApp groups in question received all the messages that other employees transmitted in the groups.
This meant that employees who, in the opinion of the Danish Data Protection Agency, did not have a work-related need to process information - which other employees had to transmit to the central administration - still received the information, which i.a. included social security number and health information about citizens.
Inadequate access control of the groups further meant that employees who were no longer employed were not removed from the WhatsApp groups, so they could continue to access the information transmitted in the groups.
Why police report?
The Danish Data Protection Agency always makes a concrete assessment of the seriousness of the case pursuant to Article 83 (1) of the Data Protection Regulation. 2, in assessing which sanction is, in the opinion of the Authority, the correct one.
In assessing that a fine should be imposed, the Danish Data Protection Agency has emphasized that confidential information and health information about a large number of citizens has been treated uncertainly and passed on to unauthorized persons, including employees who did not have a work-related need to receive the information. Furthermore, there are also employees who were no longer employed by the company.
In addition, the Danish Data Protection Agency has emphasized that the violations in several cases, in the Authority's assessment, took place intentionally, as Medicals Nordic, among other things, had not made the necessary risk assessments in connection with the treatment.