The Hungarian National Authority for Data Protection and Freedom of Information (NAIH) has imposed a HUF 10 million fine on the 11th District Public Health Department of the Government Office of the Capital City Budapest for failing to apply data security measures commensurate with the risks entailed in processing health data when it transmitted a Excel file containing a data base of health and contact information to general practitioners.
According to the NAIH, the data breach was linked to the following factors:
- The sender did not sort information according to each general practitioner’s district, enabling doctors to see the personal data of both their patients and patients under the care of other doctors.
- The transmitted file lacked access protection or encryption to guarantee confidentiality.
- The file was sent by way of simple e-mails that could be viewed by anyone.
Although the Government Office warned the general practitioners about the confidentiality of health data and to delete the data of patients not belonging to their districts, the above activity resulted in a high-risk data breach, which it failed to report to the NAIH and the data subjects.
In its decision the NAIH established the following:
- The data breach resulted from the Government Office's failure to implement appropriate technical and organisational measures to safeguard the confidentiality of health data during the transmission.
- The sender should have sorted the personal data on a district-by-district basis before transmission, thus ensuring that general practitioners could only access the data of patients in their own districts and not those of other patients, even if urgent action was necessary.
- The lack of security measures may have resulted in personal data being disclosed to recipients who were entitled to access a fraction of the data (i.e. only the data applicable to each doctor-patient relationship).
Therefore, there was a direct causal link between the lack of adequate security measures and unauthorised access to data.
Result of the risk assessment: high-risk data breach
In the course of the risk assessment, the NAIH stated that the processing of a large quantity of health data or processing that could lead to identity theft or misuse should be considered a fundamental risk. However, a broad range of data was contained in the Excel file, which made each patient identifiable. The data could even be used to make a specific diagnosis for a person being treated. Hence, a data breach in the absence of security measures with such sensitive and highly accurate health data should be considered high risk.
These risks remain even if the information is only disclosed to addressees bound by professional secrecy (i.e. doctors) since once the data have been sent, the data controller has no control over the information. The fact that the recipients were asked to keep the data confidential or to delete it reduced the risk somewhat, but did not eliminate it completely. Risk was increased by the fact that the Excel file was not protected by any access protection or encryption measures that would have reduced the risk of the data being accessed only by authorised persons. The transmission of data by email without any additional safeguards poses serious risks to the privacy of the data subjects, and does not meet the level of security commensurate with the risks posed by high-risk processing in this case.
In light of the above, the data controller did not properly assess the risks of the incident and could not have fulfilled its obligation to notify the NAIH and the data subjects. In the NAIH’s view, if the Government Office had separated the data by districts and provided password protection with the password sent through a separate channel, there would have been no breach of data security and no corresponding data protection incident. From the point of view of the protection of the fundamental rights of natural persons including personal data, the NAIH concluded that the emergency situation caused by the COVID-19 outbreak should not be a complete exemption from the need to comply with appropriate data-security standards.
The lesson learned from this decision is that sending health data by e-mail in a simple Excel spreadsheet without password protection or encryption does not comply with data security requirements and that access to personal data must also be restricted.
For more information on this decision and data protection regulations in Hungary, contact your CMS client partner or local CMS experts: Dóra Petrányi / Katalin Horváth / Márton Domokos
Article co-authored by Annamária Klicsu.