The Norwegian Data Protection Authority has decided on an administrative fee of NOK 750,000 to Østfold HF Hospital. The background is that in the period 2013-2019, the hospital stored report extracts from patient records outside the safe zone. The case started with a notice of personal data breach from the hospital.
The folders where the extracts were stored were not access controlled, and the activity in the folders was not logged. The report extracts have also been stored long after the lists were no longer needed. That such extensive storage of unshielded health information could take place over a long period of time, we believe indicates shortcomings in the internal management system, says senior legal adviser Susanne Lie
About the breach
The report extracts were lists of patients ready for discharge (RfD list) and included special categories of personal data (sensitive patient information). The discrepancy includes three different lists:
- An updated RfD list that includes approx. 25-30 patients. This list is updated every 15 minutes.
- A historical RfD list from 2013 until 2019, with 13,800 patients and 26,596 discharges.
- Two lists with national identification number and reason for admission, with approx. 30 patients.
The personal information in the lists includes demographic information and name, date of birth, municipality, department affiliation and any information about facilitation when transferring a patient to a municipality. Two of the lists contained national identification number and reason for admission.
There has been no access control in the area / folders where the report extracts were stored and/or temporarily stored, and it has been logged whether employees have been inside the information. The personal information has been available to 118 employees at Østfold HF Hospital, where most have not had an official and justifiable need for such access.
Assessment
The Norwegian Data Protection Authority considers that Østfold HF Hospital has not established a system for access control that is sufficient to prevent similar breaches from occurring in the future, and particular reference is made to the routines for access control and storage of personal data. The management system must involve follow-up that the routines are followed, which also means to ensure that only secure systems are used in the processing of sensitive personal data.
For further information, please contact the Norwegian DPA: international@datatilsynet.no