On 13 January 2025, the Romanian Data Protection Authority (DPA) announced a fine of €2,000 (RON equivalent) against a healthcare industry controller for violating the General Data Protection Regulation (GDPR). The fine stemmed from the unauthorized disclosure of a patient’s login credentials, raising serious concerns about data security in the healthcare sector.
What Led to the Fine?
The investigation was triggered by a patient complaint regarding a biological sampling clinic operated by the controller. According to the complaint, the patient’s email login credentials were visibly displayed on a computer monitor at the clinic, leading to a serious risk of unauthorized access to personal data.
Following the complaint, the Romanian DPA conducted an investigation and found that the healthcare provider had failed to implement adequate security measures to protect sensitive patient data. This lack of safeguards resulted in an unacceptable risk of unauthorized data access, which violates GDPR requirements for data confidentiality and security.
Key GDPR Violations Identified
The Romanian DPA determined that the healthcare provider failed to comply with GDPR by:
- Not implementing sufficient technical and organizational measures to ensure an appropriate level of data security.
- Failing to prevent unauthorized access to patient credentials and personal information.
- Neglecting to train employees on handling sensitive data securely.
These violations compromised the confidentiality of patient data, leading to regulatory action.
Corrective Measures Ordered
In addition to the financial penalty, the Romanian DPA imposed two corrective measures:
- Mandatory staff training – Employees must be educated on the risks and consequences associated with data processing and security failures.
- Implementation of a stronger password policy – The controller must establish updated rules on maintaining the confidentiality of user credentials and ensuring secure authentication practices.
Why This Matters?
This case serves as a critical reminder for all organizations—especially those in the healthcare sector—about the importance of robust data protection measures. GDPR requires controllers to ensure that personal data is handled with the highest level of security to prevent unauthorized access and data breaches.
Learnings
To avoid similar fines and reputational damage, organizations should:
✔️ Conduct regular security audits to identify vulnerabilities.
✔️ Enforce strict password policies to protect sensitive data.
✔️ Provide comprehensive employee training on data protection best practices.
✔️ Implement strong access controls to prevent unauthorized viewing of personal data.
✔️ Ensure compliance with GDPR technical and organizational security requirements.
Data protection is not optional, and organizations must prioritize compliance to safeguard personal information. The Romanian DPA’s enforcement action sends a strong message about the necessity of proactive data security in industries that handle sensitive data, such as healthcare.
About The Author