Portuguese Hospital Fined 400,000 Euros for GDPR Violation
In 2018, Barreiro Montijo Hospital in Portugal was ordered to pay a massive fine for violating the General Data Protection Regulation (GDPR). The local data protection authority CNPD set the fine for improper access management at 400,000 euros. An additional violation cost the hospital another 100,000 euros.
Unauthorized Access to Personal Data
The grounds for the violation and resulting penalty can be summarized in three words: poor access management. Technicians working at the hospital were able to view sensitive patient data that should only have been accessible to physicians. On top of that, 985 active users were registered in the system as “doctors”, when only 296 actual doctors worked at the hospital in 2018.
GDPR-Compliant Access Management
Without a structured access management strategy in place, it is virtually impossible for hospitals to fulfill the requirements for data protection as stipulated by the GDPR (General Data Protection Regulation). We therefore recommend taking the following measures:
- Prevent uncontrolled growth: Set up an authorization scheme for internal and external users; Classify all relevant systems, user groups and access levels; Ask yourself the following question (and ask it repeatedly): Does this user have only the privileges he or she actually needs?
- Establish processes that help to implement your authorization scheme continuously as part of daily business routines (e.g. a controlled process for revoking permissions when users change departments or leave the company).
- Produce permission reports that function as records of who had access to personal data and when, retrievable even years later.
Meet the Demands of the GDPR – With tenfold
With tenfold and the appropriate access rights in place, you can rest assured that personal data will be protected from unauthorized access – or any other type of wrongful access – at all times. Cut down on permissions until only those which are really necessary for business operations remain. Do not put your data at risk for misuse or employee data theft due to wrongly assigned permissions.
Watch Our Demo Video to See tenfold in Action!