Administrative fine against Region Uppsala for breaches in its security
The Swedish Authority for Privacy Protection (IMY) has received two personal data breach notifications from Region Uppsala. The data breaches concern sensitive personal data sent without encryption to recipients in and outside Sweden.
Following the data breach notifications, IMY has initiated investigations of the region (both the regional board and the hospital board) and states in its two decisions that the region has not taken sufficient technical and organizational measures to ensure a security level that is appropriate in relation to the risks involved in the personal data processing.
“It is a question of information about health and thus sensitive personal information. Our supervision show that sufficient technical security measures have not been taken to protect the data against, for example, unauthorized access. They also show that the processing of personal data in both cases took place in violation of the region's own guidelines, which also indicates shortcomings in the organizational measures”, says Linda Hamidi, who led the investigations.
One of the investigations concerns sensitive personal data and social security numbers sent via e-mail. The actual transmission of the e-mail was encrypted but not the information in the e-mails. This concerns e-mails with patient data that have been sent automatically to the relevant healthcare administrations within the region, and partly e-mails with patient data that have been sent manually to researchers and doctors within the region. For the identified shortcomings in this investigation, IMY issues an administrative fine of SEK 300,000 against the regional board of the Uppsala Region.
The second investigation concerns how the University Hospital in Uppsala sends e-mails with patient data to patients and referrers in third countries, i.e. countries outside the EU. The supervision also covers the storage of patient data in the hospital's e-mail server. IMY has examined the security of the personal data processed but has not examined the legality of the third-country transfer itself. For the identified shortcomings in this investigation, IMY issues an administrative fine of SEK 1.6 million against the hospital board in the Uppsala Region.
Taken together, the two investigations show that the region has not taken the necessary measures to protect sensitive personal data in the e-mails sent and in the storage of the data in the hospital's e-mail server.