Resolutions, opinions and reports search tool

Title: Breach of the principle of confidentiality due to 9 improper accesses to the medical record.
Summary: The complainant complained about 9 improper accesses to her medical record that were not related to any healthcare or diagnostic action, since she had never been treated at the center or by the doctor who had made the disputed accesses. The complainant also complained that, within the framework of a meeting of a neighborhood association, the doctor had disseminated some of the complainant's health data. This alleged disclosure of data was filed in the initiation agreement, since the facts were not proven. With regard to the 9 improper accesses proven, the entity is sanctioned for the breach of the principle of confidentiality with a fine of €30,000, as responsible for an infringement provided for in article 83.5.a in relation to article 5.1.f, both of the GDPR. The entity has paid the penalty in advance (€24,000).

The complainant complains that his ex-partner has improperly accessed his HC, without his permission. On the other hand, the CSI states that the professional accessed it during the period of time in which the complainant and the professional were a couple, but does not provide the patient's explicit consent. It is resolved that the principle of confidentiality has been violated.

The complainant complains that the medical center has issued two reports, which state a pathological history that is not based on any medical evidence. The entity has acknowledged the facts and corrected the reports. A final resolution is being prepared for violation of the principle of accuracy.

The complainant complains that the hospital where he is receiving medical treatment has provided his personal data to an external company, without his consent. It is established that the company that has processed the data is a data processor that uses his data to fulfill one of the purposes of the data controller, CatSalut. Specifically, for a medical treatment subscribed to by the complainant. For this reason, an archiving resolution is issued.

It is resolved to declare that, prior to 05/03/2023, the HCB had not implemented the appropriate security measures -technical and organizational- to guarantee a level of security appropriate to the risk of the personal data processing it carried out. Nor had it carried out a risk analysis to define the required security measures, as required by sections 1 and 2 of article 32 RGPD. The computer platform that was the subject of the cyberattack stored information from the HCB and also from other related entities (Barnaclínic SA, CAPSBE and FRCB-IDIBAPS); therefore, the volume and sensitivity of the information required special diligence in its custody and security.

The data protection regulations do not prevent the complainant from communicating the information he requests, regarding access to his clinical history, including the identity of the professionals, rank and professional category, who have accessed it.

The claiming entity has not accredited that it has responded to the request for rectification exercised by the claimant.

It is appropriate to estimate the claim, since the ICS did not respond in time to the request of the claimant. Regarding the fund, it is not appropriate to make any pronouncement or require any action, since the ICS has accredited that it has delivered the documentation to the claimant in the requested terms, that is, it has made effective the right exercised by the claimant, although extemporaneously.

Resolution with ammunation in the sanctioning procedure against the Garraf Health Consortium, Hospital Residencia Sant Camil, due to violation of the principle of accuracy. For having used a mobile phone that had in its database since 2011, instead of using the telephone provided with the derivation of the Sitges EAP, 2022.

The filing of the complaint is necessary for the following reasons: 1) It is accredited that no improper access has been made to the clinical history of the complainant. 2) In this case, it is considered that giving an extemporaneous response and requesting to fill in a specific form are management irregularities that do not have enough entity to start a sanctioning procedure.