Portuguese Hospital Fined 400,000 Euros for GDPR Violation

The grounds for the violation and resulting penalty can be summarized in three words: poor access management. Technicians working at the hospital were able to view sensitive patient data that should only have been accessible to physicians. On top of that, 985 active users were registered in the system as “doctors”, when only 296 actual doctors worked at the hospital in 2018.

Without a structured access management strategy in place, it is virtually impossible for hospitals to fulfill the requirements for data protection as stipulated by the GDPR (General Data Protection Regulation). We therefore recommend taking the following measures:

• Prevent uncontrolled growth: Set up an authorization scheme for internal and external users; Classify all relevant systems, user groups and access levels; Ask yourself the following question (and ask it repeatedly): Does this user have only the privileges he or she actually needs?
• Establish processes that help to implement your authorization scheme continuously as part of daily business routines (e.g. a controlled process for revoking permissions when users change departments or leave the company).
• Produce permission reports that function as records of who had access to personal data and when, retrievable even years later.

With tenfold and the appropriate access rights in place, you can rest assured that personal data will be protected from unauthorized access – or any other type of wrongful access – at all times. Cut down on permissions until only those which are really necessary for business operations remain. Do not put your data at risk for misuse or employee data theft due to wrongly assigned permissions.