IMY (Sweden) - DI-2021-5595

From GDPRhub
IMY (Sweden) - DI-2021-5595
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 07.05.2019
Decided: 26.01.2022
Published:
Fine: 1,600,000 SEK
Parties: n/a
National Case Number/Name: DI-2021-5595
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: Cesar Manso-Sayao

The Swedish DPA imposed a fine of approximately €150,000 on a hospital for a violation of Articles 5(1)(f) and 32(1) GDPR by emailing unencrypted medical records to patients and hospitals abroad.

English Summary[edit | edit source]

Facts[edit | edit source]

Uppsala regional authorities notified the Swedish DPA (Integritetsskyddsmyndigheten - IMY) that a personal data breach had occurred in their jurisdiction in 2019. Based on this notification, the Swedish DPA initiated an investigation into the medical data which the Uppsala University Hospital emailed to patients from abroad, as well as to the foreign hospitals which referred those patients.

According to its internal procedures, once the hospital had finalized treatment to a patient from abroad, a medical report was sent to the patient and the referring hospital. Although it can be sent by post, the hospital gave the recipient the option of choosing their preferred channel to receive the report, which in the majority of cases was via email.

These medical reports have been sent by email without encryption since 2014. Although at some point the hospital began using Microsoft Outlook’s Transport Layer Security (TLS) encryption, if the email software on the recipients’ side did not support TLS, the emails were sent without encryption. Once sent, the emails and medical records themselves remained stored in the hospital’s Outlook account.

In 2019, after conducting an internal risk analysis and a Data Protection Impact Assessment (DPIA) the hospital introduced an encryption solution for secure email.

Holding[edit | edit source]

In its decision, the IMY established that its investigation was limited to analysing matters related to the security of the processing, and it had not examined whether this processing complied with other GDPR provisions, such as those related to the transfer of personal data to third countries.

The IMY took into account Recital 75 and 76 GDPR in order to carry out an assessment of the responsibilities of the University Hospital Board (the controller in this case), according to the risks involved in the data it was processing. The IMY highlighted that this case involved large amounts of medical data, which is a special category of data with extra protections under Article 9 GDPR, including children’s data. The IMY held that in this case, because of the fact that the data sent was only encrypted once Outlook’s TLS was eventually adopted, and also only when the recipients’ software supported this protocol, the hospital had not been able to ensure that the emails it sent were encrypted according to the risk involved in the processing, in breach of Article 5(1)(f) GDPR.

The IMY also noted that the local government of Uppsala had issued a policy document related to the handling of emails which specifically prohibited sending sensitive personal data by email, and therefore the hospital should have identified the risks posed through processing the data in this manner. Additionally, the IMY stated that the purpose of an email system like Outlook is to disseminate and communicate information, and not an appropriate place for the storage medical data, because of its exposure to unauthorised access on the internet. Therefore, the IMY held that the University Hospital Board had violated Article 32(1) GDPR by failing to incorporate appropriate technical and organisational measures to ensure a level of security appropriate to the risk represented by the processing.

In order to determine the fine for these violations, as aggravating factors, the IMY took into consideration the large amount of data and the long period of time over which it was shared, as well as the fact that the hospital had violated specific regional policy guidelines. As a mitigating factor, the IMY recognised that the hospital had eventually introduced an encryption solution for files in 2019. Based on these considerations, the IMY imposed a fine of approximately €150,000 (1,600,000 SEK) on the University Hospital Board for the violation of Articles 5(1)(f) and 32(1) GDPR.

Comment[edit | edit source]

The data breach notification in this case also generated a parallel investigation in which the IMY imposed a fine of approximately €30,000 on the Uppsala Regional Council for a violation of Article 32(1) GDPR by emailing unencrypted medical data to administrative bodies, researchers and physicians (IMY (Sweden) - DI-2019-9457).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

                                                                                                                      1 (11)






                                                                      The National Board of Health and Welfare in the Uppsala Region
                                                                      751 85 Uppsala








Record number:
DI-2021-5595 Decision after supervision according to

Date: the Data Protection Regulation against
2022-01-26

                                The National Board of Health and Welfare in the Uppsala Region





                                Table of Contents

                                The decision of the Integrity Protection Authority ................................................ ........................... 2

                                Report on the supervisory matter ............................................... ....................................... 2

                                       The starting point for the supervisory matter ............................................... ...................... 2

                                       Information from the hospital board ............................................... ............................. 3

                                              Personal data responsibility ................................................. .............................. 3

                                              E-mail sent unencrypted over an open network to third countries .................... 3
                                              Storage in the e-mail hosting service Outlook ............................................ ............ 4

                                Grounds for the decision ............................................... .................................................. ... 5

                                       Applicable rules................................................ .................................................. .. 5

                                              The responsibility of the personal data controller ............................................... ...... 5

                                              The requirement for security in the processing of personal data, etc ..................... 5
                                       IMY's assessment .............................................. .................................................. 6

                                              Personal data responsibility ................................................. .............................. 6

                                              Sensitive personal data has been sent unencrypted via open network ............... 6

                                              Sensitive personal data has been stored in Outlook ......................................... 7

                                       Choice of intervention ............................................... .................................................. 8
                                              Legal regulation ................................................ ....................................... 8

                                              Imposition of a penalty fee ............................................... ..................... 8

                                How to appeal............................................... .................................................. ..... 11

Postal address:
Box 8114
104 20 Stockholm
Website:

www.imy.se
E-mail:
imy@imy.se

Phone:
08-657 61 00


                                                              Page 1 of 11, Integrity Protection Authority Record number: DI-2021-5595 2 (11)
                                Date: 2022-01-26











                                The decision of the Integrity Protection Authority


                                The Integrity Protection Authority (IMY) states that the Hospital Board in the Uppsala Region
                                (the hospital board) as the person responsible for personal data, during the period from 25 May 2018

                                until 7 May 2019, processed personal data in violation of Articles 5.1 f and 32.1 i
                                the Data Protection Regulation as follows:


                                     The hospital board has sent sensitive personal data that was not encrypted
                                         via open network to patients and referrers. The treatment has also taken place in combat

                                         with Region Uppsala's own guidelines. This means that the hospital board does not have
                                         have taken appropriate technical and organizational measures to ensure a

                                         level of safety appropriate to the risk of treatment.


                                     The hospital board has stored sensitive personal data in the e-mail hosting service
                                         Outlook. This means that the hospital board has not taken appropriate technical measures

                                         measures to ensure a level of safety appropriate to:
                                         the risk of treatment.



                                The IMY decides on the basis of Articles 58 (2) and 83 of the Data Protection Ordinance and Chapter 6.
                                § 2 of the Data Protection Act that the hospital board, for violation of Articles 5.1 f and 32.1
                                in the Data Protection Regulation, shall pay an administrative penalty fee of 1,600,000 (a

                                million six hundred thousand) kronor.


                                Report on the supervisory matter


                                The starting point for the supervisory matter


                                IMY decided to initiate an investigation against the Uppsala Region due to the region's
                                notification on 7 May 2019 of personal data incident.


                                IMY's review includes the processing of personal data carried out by the hospital board

                                in connection with the University Hospital sending e-mails with patient information to
                                patients and remittances in third countries. IMY's review also includes the storage of
                                patient information in the Outlook e-mail hosting service.


                                Within the framework of this supervision, the IMY has reviewed the matter in question

                                the processing of personal data meets the security requirements set out in Articles 5 (1) (f)
                                and 32 of the Data Protection Regulation. IMY has not reviewed
                                the processing of personal data is compatible with the regulation in the Data Protection Regulation in

                                other, for example, the provisions on the transfer of personal data to third countries.


                                The Data Protection Ordinance came into force on 25 May 2018. IMY's supervision covers
                                therefore the period from 25 May 2018 to 7 May 2019 (when notification was received). IMY has





                                Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with
                                concerning the processing of personal data and on the free movement of such data and on the repeal of
                                Directive 95/46 / EC (General Data Protection Regulation).
                                2The Act (2018: 218) with supplementary provisions to the EU Data Protection Regulation.



                                                              Page 2 of 11, Integrity Protection Authority Record number: DI-2021-5595 3 (11)
                               Date: 2022-01-26






                               has not reviewed the measures that the hospital board has stated that it has taken after the 7th

                               May 2019.


                               Information from the hospital board

                               The Regional Board of the Uppsala Region has stated that it has the right to represent the region

                               outwards. The hospital board has stated that it agrees with what the regional board has stated.

                               The Hospital Board has, through the Regional Board, stated, among other things, the following.


                               Personal data responsibility

                               The hospital board is responsible for personal data for the processing of personal data
                               occurs when e-mails are sent from and to patients or referrers abroad. The treatment
                               takes place at the administration, Akademiska sjukhuset, which is located under the board

                               the hospital board. This assessment is made in light of the fact that the hospital board is one
                               independent managing authority that determines the purpose and means with

                               personal data processing.

                               E-mail sent unencrypted over an open network to third countries


                               Processing of personal data in e-mail


                               The academic hospital sends e-mails to patients and referrers (that is
                               the home hospital) abroad at the initiative of the patient or the referrer. It's up to

                               the patient or the referrer to choose how the information is to be submitted. The dialogue
                               between the patient or the referrer and the Academic Hospital takes place mainly via
                               E-mail.


                               A patient from abroad who receives care at the Academic Hospital is registered in

                               the main journal system Cosmic. Journal documents obtained from the patient about hens
                               health status is scanned into Cosmic. Also the care performed at Akademiska
                               the hospital is documented in Cosmic. When the care is terminated, the doctor in charge writes one

                               compilation of care in a so-called Medical report in Cosmic. Medical report
                               sent to the patient or referrer by mail, but if urgent, it is sent
                               via e-mail.


                               The purpose of the treatment is to provide highly specialized health care at

                               Academic Hospital.

                               The University Hospital sends an estimated 500-1,000 such e-mails

                               per month. The emails were sent in 2018 to patients alternatively
                               remittances in Lebanon, Morocco, Nepal, Pakistan, Peru, Russia, Saudi Arabia,

                               Switzerland, Thailand, Turkey, USA, Argentina, Australia, India, Iraq, Iran, Israel,
                               Canada, Kenya and China.


                               The e-mails usually contain journal documents and are forwarded to those concerned
                               operations manager, specialist and in some cases other staff within Akademiska
                               the hospital. Two people have access to the personal data. It's administrative

                               staff with a care background who have access to personal data and staff
                               covered by confidentiality.


                               The personal data that is processed is information about health and information about the patient
                               name, backup number, home address, e-mail address, telephone number, remittant,




                                                            Page 3 of 11, Integrity Protection Authority Record number: DI-2021-5595 4 (11)

                                Date: 2022-01-26






                                affected area of activity and time of booked care. The registered are employees,
                                patients and children. As far as employees are concerned, information about them only appears in

                                sending and receiving email addresses.


                                The processing of personal data concerned approximately 300 registered persons per year from 2014 onwards
                                May 2019. The number applies to both people who have submitted requests for care and
                                those treated at the Academic Hospital.


                                The processing of personal data has been ongoing since 2014 and is still ongoing. The

                                appears from a letter from the hospital board dated June 2, 2021.


                                Encryption

                                Personal data is sent unencrypted over an open network. This means that the transfer of

                                the e-mail and the information in the e-mails are not protected by encryption.


                                Since the introduction of Outlook, the hospital board has used Microsoft
                                default settings, which means that the transmission of the e-mail takes place with it
                                                                                                   3
                                Opportunistic Cryptographic Communication Protocol, OTLS. The National Board of Health and Welfare
                                uses version 1.2 of the cryptographic communication protocol (TLS 1.2).
                                This means that if the recipient's email provider does not have this version of TLS, select

                                a previous version of TLS.


                                If TLS is not supported by the recipient's e-mail provider, the e-mail
                                the mail messages are unencrypted at the time of transmission. According to the hospital board, this is approx

                                1 of 9,000 emails. However, the hospital board has not verified exactly how
                                many of these emails per day are sent unencrypted in this
                                personal data processing.


                                The hospital board has not fulfilled the requirements for the transfer of personal data in the open

                                networks must be made in such a way that unauthorized persons cannot access them. This then
                                the transfer was made unencrypted via Outlook.


                                Control document


                                According to Region Uppsala's governing document on handling e-mail gets sensitive
                                personal data is not communicated via e-mail.


                                Measures taken after the incident


                                In September 2019, the Hospital Board introduced an encryption solution for files, which
                                enabled secure email transfer.


                                Systematic improvement work is underway and the hospital board has worked on one

                                risk analysis and an impact assessment.


                                Storage in the e-mail hosting service Outlook
                                In Outlook, the e-mails are stored between the patient or remit and the Academic
                                the hospital. The journal documents are also stored in Outlook.






                                3Opportunistic Transport Layer Security.


                                                              Page 4 of 11, Integrity Protection Authority Record number: DI-2021-5595 5 (11)
                               Date: 2022-01-26







                               Justification of the decision


                               Applicable rules


                               The responsibility of the personal data controller
                               He who alone or together with others decides the purposes and means for
                               the processing of personal data is the person responsible for personal data. It is stated in Article 4 (7)

                               in the Data Protection Regulation.

                               The person responsible for personal data is responsible for and must be able to show that the basics

                               the principles of Article 5 of the Data Protection Regulation are complied with (Article 5 (2)).


                               The person responsible for personal data is responsible for implementing appropriate technical and
                               organizational measures to ensure and be able to demonstrate that the treatment is carried out in
                               in accordance with the Data Protection Regulation. The measures shall be implemented taking into account

                               the nature, scope, context and purpose of the treatment and the risks, of
                               varying degrees of probability and seriousness, for the freedoms and rights of natural persons.
                               The measures must be reviewed and updated as necessary. It is stated in Article 24 (1) (i)

                               the Data Protection Regulation.

                               The requirement for security in the processing of personal data, etc.

                               A basic principle for the processing of personal data is the requirement for security
                               in accordance with Article 5 (1) (f) of the Data Protection Regulation, which states that personal data shall:

                               processed in a way that ensures appropriate security for personal data,
                               including protection against unauthorized or unauthorized treatment and against loss, destruction or
                               damage by accident, using appropriate technical or

                               organizational measures.

                               Health information constitutes so-called sensitive personal data. It is forbidden to

                               process such personal data in accordance with Article 9 (1) of the Data Protection Regulation, unless
                               the treatment is not covered by any of the exceptions in Article 9 (2) of the Regulation.


                               It follows from Article 32 (1) of the Data Protection Regulation that the controller and
                               the personal data assistant shall take appropriate technical and organizational measures to:

                               ensure a level of safety that is appropriate in relation to the risk of the treatment.
                               This must be done taking into account the latest developments, the implementation costs
                               and the nature, scope, context and purpose of the treatment and the risks, of

                               varying degrees of probability and seriousness, for the rights and freedoms of natural persons.

                               In assessing the appropriate level of safety, special consideration shall be given to the risks involved

                               the treatment entails, in particular from accidental or unlawful destruction, loss or
                               change or to unauthorized disclosure of or unauthorized access to the personal data that

                               transferred, stored or otherwise processed. It is clear from Article 32 (2) (i)
                               the Data Protection Regulation.


                               Recital 75 of the Data Protection Regulation sets out the factors to be taken into account
                               the assessment of the risk to the rights and freedoms of natural persons that may
                               arise in the processing of personal data. Among other things, should be reconsidered

                               the processing concerns personal data on health or on vulnerable natural persons,
                               especially children, or if the processing involves a large number of personal data and
                               applies to a large number of registered.






                                                            Page 5 of 11, Integrity Protection Authority Record number: DI-2021-5595 6 (11)
                                Date: 2022-01-26







                                Recitals 39 and 83 also provide guidance on the more detailed meaning of
                                the requirements of the Data Protection Regulation on security when processing personal data.


                                IMY's assessment


                                Personal data responsibility
                                The National Board of Health and Welfare has stated that it is responsible for personal data for it

                                personal data processing that takes place when e-mail is sent from the University Hospital to
                                patients and remittances abroad. This is supported by the other investigation in the case.

                                IMY therefore considers that the hospital board is responsible for personal data for the e-
                                postal transfers in question. Furthermore, IMY assesses that
                                The hospital board is also responsible for the processing of personal data

                                which occurs during storage in the e-mail hosting service Outlook because the e-mail transmissions
                                happens from there.


                                Sensitive personal data has been sent unencrypted via the open network

                                As the person responsible for personal data, the hospital board must take appropriate technical and
                                organizational measures to ensure an appropriate level of security in
                                relation to the risks (Article 32 of the Data Protection Regulation). The personal data as

                                treated must, for example, be protected against unauthorized disclosure or unauthorized access.


                                What is the appropriate level of security varies in relation to, among other things, the risks for
                                the rights of natural persons which the treatment entails and the nature of the treatment,
                                scope, context and purpose. In the assessment, it must, for example

                                take into account the type of personal data being processed, such as data on
                                health.4


                                The hospital board has sent a large number of personal data via e-mail to patients and

                                remitters abroad. These are an estimated 500-1,000 sent e-mails
                                mail messages per month. The current emails contained
                                personal data on health that are sensitive personal data. Treatment of sensitive

                                personal data can pose significant risks to personal privacy and
                                therefore, strong protection is required in the processing of such data. This means that if

                                such personal data sent by e-mail must be protected in such a way that
                                unauthorized persons cannot take part in them. Personal data can, for example, be protected by
                                encryption.


                                The hospital board's information shows that the hospital board used a technology, so

                                called OTLS, which means that the transmission of the e-mail is encrypted for that case
                                receiving e-mail server supports TLS. If the receiving e-mail server does not support
                                TLS, the transmission of the e-mail becomes unencrypted. This means that the hospital board

                                uses a technology that is dependent on the receiver's technical settings, which means
                                that the hospital board can not ensure that the transmission of the e-mail is encrypted. E-

                                the mail has been sent externally (ie outside the Uppsala Region), which has resulted
                                that it was not possible to ensure that the e-mail sent from the Academic Hospital
                                received with an encryption that is appropriate in relation to the risk of the treatment.

                                The National Board of Health and Welfare has itself stated that it has not verified how many of the
                                the mail messages sent unencrypted via open network per day.


                                In the present case, the information is sent in the emails without encryption, that is

                                say the information has been read in plain text via the open network (internet). This means that


                                4See recitals 75 and 76 of the Data Protection Regulation.



                                                              Page 6 of 11, Integrity Protection Authority Record number: DI-2021-5595 7 (11)

                                 Date: 2022-01-26






                                 unauthorized persons have been able to access the personal data in the e-mails and that
                                 other than intended recipients have been able to access the information both below

                                 the transmission, in cases where the recipient's e-mail server did not support TLS, and after
                                 the transmission of the e-mail. According to IMY, there is a risk that the data will come in

                                 wrong hands after the transfer, as the person sending the data would
                                 be able to write an incorrect recipient address [1.


                                 IMY finds that the information in the emails should have been protected against unauthorized use
                                 disclosure or unauthorized access, and this regardless of the transmission of the e-mail

                                 been encrypted or not. The hospital board should have taken technical measures, to
                                 examples in the form of encryption, to protect personal data and thereby

                                 ensure an appropriate level of data protection.

                                 That a large number of sensitive personal data has been exposed to for a long time

                                 internet without protection against unauthorized disclosure or unauthorized access, means according to IMY
                                 that the lack of security has been of such a serious nature that it also involves one

                                 infringement of Article 5 (1) (f) of the Data Protection Regulation.


                                 According to the hospital board, Region Uppsala's governing document on handling mail states
                                 and e-mail that sensitive personal data may not be communicated via e-mail.
                                 The hospital board has thus identified the risks of treating the sensitive

                                 personal data in e-mail entails but has not taken sufficient measures to comply
                                 guidelines. IMY thus finds that the hospital board has not taken the appropriate ones

                                 organizational measures required to ensure the safety of treatment.


                                 Overall, IMY finds that the hospital board, by not taking appropriate action
                                 technical and organizational measures to ensure a level of security that is
                                 appropriate in relation to the risk of the processing, has processed personal data in violation

                                 with Articles 5 (1) (f) and 32 (1) of the Data Protection Regulation.


                                 Sensitive personal data has been stored in Outlook
                                 The hospital board has stated that the medical records are also stored in Outlook in addition

                                 storage in the main journal system Cosmic.

                                 The journal documents contain personal information about health that is sensitive

                                 personal data. Processing of sensitive personal data can mean significant
                                 risks to privacy and therefore strong protection is required during treatment

                                 of such information. This means, among other things, that this personal data must
                                 protected in such a way that unauthorized persons cannot access them.


                                 The purpose of an email system (in this case Outlook) is to disseminate and communicate
                                 information. An e-mail system is exposed to the internet, which means that the information in

                                 the system risks becoming inaccessible to unauthorized persons. Outlook is therefore generally one
                                 inappropriate storage for sensitive personal data.


                                 By storing journal documents in Outlook, the current data has been exposed to one

                                 high risk that they will be disclosed or that unauthorized persons will gain access to them. This means that
                                 the hospital board has not taken the technical measures required under Article 32 i
                                 the Data Protection Regulation to ensure adequate data protection.


                                 That a large number of sensitive personal data has been exposed to for a long time

                                 internet without protection against unauthorized disclosure or unauthorized access, means according to IMY

                                 [1See the Swedish Data Inspectorate's report Reported personal data incidents 2019 (report 2020: 2).


                                                                Page 7 of 11, Integrity Protection Authority Record number: DI-2021-5595 8 (11)
                               Date: 2022-01-26






                               that the lack of security has been of such a serious nature that it also involves one

                               infringement of Article 5 (1) (f) of the Data Protection Regulation.


                               In summary, IMY considers that the hospital board has not taken appropriate technical measures
                               measures to prevent unauthorized disclosure of or unauthorized access to
                               the personal data stored in Outlook. As a result, the hospital board has not

                               ensure a level of safety that is appropriate in relation to the risk of the treatment.
                               The Hospital Board has thus processed the personal data in violation of Articles 5.1 f
                               and 32.1 of the Data Protection Regulation.


                               Choice of intervention


                               Legal regulation

                               In the event of violations of the Data Protection Regulation, the IMY has a number of corrections
                               powers available under Article 58 (2) (a) to (j) of the Data Protection Regulation, inter alia
                               reprimand, injunction and penalty fees.


                               IMY shall impose penalty fees in addition to or in lieu of other corrective actions
                               referred to in Article 58 (2), depending on the circumstances of each case.


                               Member States may lay down rules on whether and to what extent administrative

                               penalty fees can be imposed on public authorities. It is clear from Article 83 (7) (i)
                               Regulation. Sweden has accordingly decided that the supervisory authority shall receive
                               charge sanction fees by authorities. For infringements of, inter alia, Article 32,

                               the fee amounts to a maximum of SEK 5,000,000. For infringements of, inter alia, Article 5 i
                               According to the ordinance, the fee shall amount to a maximum of SEK 10,000,000. It appears from ch. 6 2

                               § of the Data Protection Act and Article 83 (4) and 83 (5) of the Data Protection Ordinance.

                               If a personal data controller or a personal data assistant, with respect to a

                               and the same or interconnected data processing, intentionally or by
                               negligence violates several of the provisions of this Regulation may it
                               the total amount of the administrative penalty fee does not exceed the amount determined

                               for the most serious infringement. It is clear from Article 83 (3) (i)
                               the Data Protection Regulation.


                               Each supervisory authority shall ensure that the imposition of administrative
                               penalty fees in each individual case are effective, proportionate and dissuasive. The

                               provided for in Article 83 (1) of the Data Protection Regulation.

                               Article 83 (2) of the Data Protection Regulation sets out the factors to be taken into account in order to:

                               decide whether to impose an administrative penalty fee, but also at
                               determining the amount of the penalty fee. If it is a question of a smaller

                               infringement may IMY as set out in recital 148 instead of imposing a
                               issue a reprimand in accordance with Article 58 (2) (b) of the Regulation. Consideration shall
                               taken to aggravating and mitigating circumstances in the case, such as the infringement

                               character, degree of difficulty and duration as well as previous violations of relevance.


                               Imposition of a penalty fee
                               IMY has above assessed that the hospital board has violated Articles 5.1 f and 32.1 i
                               the Data Protection Regulation. Violations of these provisions may, as is apparent

                               above, give rise to penalty fees.






                                                             Page 8 of 11, Integrity Protection Authority Record number: DI-2021-5595 9 (11)
                               Date: 2022-01-26







                               The violations have taken place because the hospital board has sent a large amount
                               patient data via unencrypted e-mail via open network to patients and referrers in
                               third country and because the patient data has been stored in Outlook. The personal data

                               which were processed were sensitive personal data, which means a high risk for those
                               freedoms and rights were registered. The treatments described in the case have taken place

                               systematically and for a long time. The treatments via e-mail have also taken place in conflict
                               with Region Uppsala's own guidelines. Taken together, these factors mean that one
                               penalty fee should be imposed.


                               IMY estimates that the treatments via e-mail and storage refer to two interconnected

                               data processing in accordance with Article 83 (3) of the Data Protection Regulation. This because
                               the treatments concern the handling of the same personal data in Outlook and refer to
                               violation of the same provisions.


                               In determining the size of the penalty fee, the IMY shall take into account both aggravating and

                               mitigating circumstances and that the administrative penalty fee should be
                               effective, proportionate and dissuasive.


                               It is aggravating that the personal data processing has been going on for a long time, that is
                               say during the period under review from 25 May 2018 to 7 May 2019, and that

                               the hospital board did not promptly take measures to protect personal data despite
                               that the hospital board was aware of the shortcomings in safety. It is also aggravating
                               that the treatments included a large amount of health information that was sent unencrypted

                               via open network and stored in Outlook. It has been about between
                               500 and 1,000 e-mails per month that unauthorized persons have been able to access
                               to via the internet and included about 300 registered per year. Through the information provided

                               processed, the data subjects can be identified directly by name, contact details and
                               health information. IMY therefore considers the nature, scope and nature of the data

                               the dependent's dependency gives the hospital board a special responsibility to ensure
                               appropriate protection of personal data, which has not happened.


                               It is further aggravating that the treatments have taken place systematically and that they have taken place in
                               contrary to Region Uppsala's own guidelines that sensitive personal data should not

                               sent by e-mail.

                               As a mitigating circumstance, it is taken into account that the hospital board introduced in September 2019

                               technical measures in the form of an encryption solution for files.


                               IMY decides based on an overall assessment that the hospital board should be imposed on one
                               administrative penalty fee of 1,600,000 (one million six hundred thousand) kronor.





                               This decision was made by Director General Lena Lindgren Schelin after the presentation
                               by lawyer Linda Hamidi. At the final hearing, the Chief Justice also has David
                               Törngren, unit manager Malin Blixt and IT security specialist Ulrika Sundling

                               participated.


                               Lena Lindgren Schelin, 2022-01-26 (This is an electronic signature)









                                                             Page 9 of 11, Integrity Protection Authority Record number: DI-2021-5595 10 (11)

                               Date: 2022-01-26









                               Appendix
                               Information on payment of penalty fee.


                               Copy to

                               The Data Protection Officer.





































































                                                             Page 10 of 11, Integrity Protection Authority Record number: DI-2021-5595 11 (11)
                              Date: 2022-01-26






                              How to appeal


                              If you want to appeal the decision, you must write to the Privacy Protection Authority. Enter i

                              the letter which decision you are appealing and the change you are requesting. The appeal shall
                              have been received by the Privacy Protection Authority no later than three weeks from the date of the decision
                              was announced. If the appeal has been received in time, send

                              The Integrity Protection Authority forwards it to the Administrative Court in Stockholm
                              examination.


                              You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                              any privacy-sensitive personal data or data that may be covered by
                              secrecy. The authority's contact information can be found on the first page of the decision.


























































                                                          Page 11 of 10