- Date of final decision: 6 July 2022
- National case
- Controller: University Clinical Center of the Medical University of Warsaw
- Legal Reference: Notification of a personal data breach to the supervisory authority (Article 33(1)), Communication of a personal data breach to the data subject (Article 34(1))
- Decision: Administrative Fine, order to communicate the breach to the data subjects
- Key words: Notification, communication, University Clinical Center
Summary of the Decision
Origin of the case
The Polish Supervisory Authority (SA) has received information from the Commissioner for Patients' Rights about a possible personal data breach at the University Clinical Center of the Medical University of Warsaw. One of the patients received a referral from a doctor to a specialty care clinic containing personal information about another person in the following scope: first name, last name, address of residence, personal identification number (PESEL number), and information about health status (information about the diagnosis and purpose of the advice). In the course of the proceedings, the controller confirmed that there was a mistaken entry on the referral to the specialty care clinic of the personal data of another patient, but after analysis, it considered that the personal data of a person who did not actually exist appeared on the referral.
The controller classified the incident as a security incident, it concluded that the incident did not have significant consequences for the rights and freedoms of the data subject. Therefore, the controller decided not to notify the personal data breach to the supervisory authority, as well as failed to communicate the personal data breach to the data subject. According to the Polish SA, the document issued by the doctor, in fact, contained only a mistake in the patient's name, while the rest of the data contained in the aforementioned referral, i.e. name, address of residence and personal identification number (PESEL number), were the patient's data. Hence, it cannot be considered that the incident concerned a non-existent person. Despite the error in this person's name, he or she can be easily identified.
The Polish SA imposed an administrative fine of PLN 10,000 on the University Clinical Center of the Medical University of Warsaw. In the opinion of the Polish SA, the controller knowingly failed to notify the personal data breach to the supervisory authority and to the data subject, despite becoming aware of the incident from the Commissioner for Patients' Rights and in spite of letters addressed to him by the DPA, indicating the possibility of a high risk to the rights or freedoms of the data subject affected in the present case. In addition, it should be pointed out that disclosure to an unauthorized recipient of another person's personal data, due to the fact that the controller’s doctor gave him or her a referral to a specialty care clinic with inappropriate data, also constitutes a violation of medical confidentiality.
For further information: decision in national language (PO)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.