The Hospital Board has failed in its security measures when handling e-mail

The Data Protection Regulation, GDPR, states that businesses, in some cases, are obliged to report personal data breach notifications to IMY. The authority has received such a notification from Region Uppsala, indicating that personal data about, among other things, health, has been processed in the Hospital Board's e-mail service for a long time.

IMY has done a supervision of the incident and notes in its decision that the Hospital Board conducts healthcare activities, which means that sensitive personal data to a large extent is processed within the business. IMY also notes that the majority of the Hospital Board's users of the e-mail service consist of approximately 6,400 people who work with healthcare. “This poses a significant risk that personal data, including sensitive data, may be processed in the e-mail service,” IMY states in its decision.

In a previous supervision of the hospital board, IMY has concluded that e-mail systems are generally an unsuitable storage location for sensitive personal data.

The hospital board’s guidelines for processing e-mail states that sensitive personal data may not be processed in e-mail unless the data is encrypted with the approved encryption solution. The hospital board also has procedures for deleting e-mails. Despite this, sensitive personal data has been processed in e-mails sent between employees, in violation of the hospital board’s guidelines.

Several of the e-mails that were included in the incident had been stored in the e-mail service for a long time, which indicates that the hospital board did not have an effective procedures in place for following up and evaluating the effectiveness of the measures taken.

Overall, IMY assesses that the hospital board has not taken appropriate technical and organizational measures to prevent and detect unauthorized processing of personal data in the e-mail service.

Before this personal data breach was discovered, the hospital board had started a process  to address risks associated with e-mail use. In this supervision, the hospital board has reported on already implemented and planned technical and organizational measures that, among other things, aim to increase the ability to prevent and detect unauthorized processing of personal data.

IMY issues a reprimand against the hospital board.

The decision in Swedish is published on the Swedish version of this site.