Portuguese Hospital Fined 400,000 Euros for GDPR Violation

In 2018, Barreiro Montijo Hospital in Portugal was ordered to pay a massive fine for violating the General Data Protection Regulation (GDPR). The local data protection authority CNPD set the fine for improper access management at 400,000 euros. An additional violation cost the hospital another 100,000 euros.

Unauthorized Access to Personal Data

The grounds for the violation and resulting penalty can be summarized in three words: poor access management. Technicians working at the hospital were able to view sensitive patient data that should only have been accessible to physicians. On top of that, 985 active users were registered in the system as “doctors”, when only 296 actual doctors worked at the hospital in 2018.

GDPR-Compliant Access Management

Without a structured access management strategy in place, it is virtually impossible for hospitals to fulfill the requirements for data protection as stipulated by the GDPR (General Data Protection Regulation). We therefore recommend taking the following measures:

  • Prevent uncontrolled growth: Set up an authorization scheme for internal and external users; Classify all relevant systems, user groups and access levels; Ask yourself the following question (and ask it repeatedly): Does this user have only the privileges he or she actually needs?
  • Establish processes that help to implement your authorization scheme continuously as part of daily business routines (e.g. a controlled process for revoking permissions when users change departments or leave the company).
  • Produce permission reports that function as records of who had access to personal data and when, retrievable even years later.

Meet the Demands of the GDPR – With tenfold

With tenfold and the appropriate access rights in place, you can rest assured that personal data will be protected from unauthorized access – or any other type of wrongful access – at all times. Cut down on permissions until only those which are really necessary for business operations remain. Do not put your data at risk for misuse or employee data theft due to wrongly assigned permissions.

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.