Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Cyprus: Commissioner fines State Health Services Organization €46,500 following a breach
On December 13, 2024, the Office of the Commissioner for Personal Data Protection (the Commissioner) published its decisions regarding the loss of personal data, in which it imposed a total fine of €46,500 on the State Health Services Organization for violations of the General Data Protection Regulation (GDPR) following a data breach notification.
Background to the decision
The Commissioner outlined that it received 13 notifications of personal data breaches from the State Health Services Organization, of which 10 concerned the loss of a patient's medical record and three concerned the loss of the Accident and Emergency Department (AEDD) registration form.
Moreover, the Commissioner clarified that each incident concerned a different patient, and each incident constituted a breach of data availability, as a critical service to the patient was affected and lost.
Findings of the Commissioner
The Commissioner explained that each patient's medical history could no longer be found in its complete medical record, and patients did not receive their medical report where it was requested.
The Commissioner found, among other things, that State Health Services Organization violated:
- Article 5(1)(f) of the GDPR, since the patient data were not processed or processed in a manner that guarantees their appropriate security, using appropriate technical or organizational measures;
- Article 24(1) of the GDPR, since the State Health Services Organization did not implement appropriate technical and organizational measures in order to ensure and be able to demonstrate that the processing was carried out in accordance with the GDPR;
- Article 32(1) of the GDPR, since the State Health Services Organization did not implement appropriate technical and organizational measures in order to ensure the appropriate level of security against the risks; and
- Article 33(1) of the GDPR, since the notification was not submitted to the Commissioner within the legal time frame.
Outcomes
In light of the above, the Commissioner fined State Health Services Organization for an amount of:
- €5,000 for each of the nine incidents concerning the loss medical records, a total of €45,000; and
- €500 for each of the three incidents concerning the loss of the AEDD forms, a total of €1,500.
Moreover, the Commissioner issued a reprimand:
- in one incident due to the possibility that there was no patient file; and
- in the two incidents concerning the violation of Article 33(1) of the GDPR.
Lastly, the Commissioner issued an order to the State Health Services Organization to:
- inform patients about the loss of the medical record in seven incidents; and
- to create an AEDD form handling procedure within three weeks of receiving this Decision and to send it to the Commissioner.
You can read the decision, only available in Greek, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
