Italian Data Protection Authority (Garante)-Ospedale San Raffaele s.r.l. (4/28/2022)

In the first case, the neurology department of the hospital had sent a newsletter in an open distribution list, which resulted in the email addresses of the recipients being visible to all recipients. Of the 499 email addresses affected, 321 email addresses related to patients and 46 related to family members/caregivers of patients, which allowed these individuals to be identified by name.

In the second case, a surgical department had sent a newsletter in an open distribution list, so again the recipients’ email addresses were visible to all recipients. Of the 90 e-mail addresses affected, 75 e-mail addresses referred to patients and/or family members/caregivers of the patients, which meant that these individuals could be identified by name.

The DPA considered this to be a violation of the principle of ‘integrity and confidentiality,’ which requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures. With regard to the calculation of the fine, the DPA took into aggravating account the fact that the data breach also affected data relating to the health of the persons concerned.
The fact that the hospital had introduced measures to prevent such events in the future and had cooperated to a high degree with the DPA was taken into beneficial consideration.