Skip to main content

Data breaches in healthcare due to human errors: two hospitals and a Local Health Administration Unit sanctioned by the Italian Data Protection Authority


Data breaches are violations of database security that may result not only from cyber attacks, as it is usually assumed, but also from human errors committed by persons who, under the direct authority of the data controller or the data processor, are authorized to process personal data. The absence of corporate procedures for the proper handling of patient data within a healthcare facility throughout their lifecycle or the inadequacy of these policies to cover all possible cases, in particular, can lead to material errors being made by the staff, such as the communication of patient's data to persons other than the data subject or to unauthorised persons. Such breaches in the health sector have a potentially very serious and detrimental impact on the rights of data subjects, given the special nature of the data processed, which consist of information on a person's state of health. This issue has been the subject of three recent decisions of the Italian Data Protection Authority which are briefly described in this news.

The first two decisions

The Italian Data Protection Authority, in the decision n. 29 of 27 January 2021, imposed an administrative sanction of euro 10,000 on a hospital for having sent by post, to the wrong patient, a medical report containing information on the health and sex life of two persons as well as information on the health of their family members.

For the same amount, the Italian Data Protection Authority sanctioned a hospital with the decision n. 30 of 27 January 2021 for having delivered to some patients medical records and reports referring to other persons.

In both cases, in determining the amount of the pecuniary sanction, the Italian Data Protection Authority took into account:

  •     the knowledge of the breach following the data breach notification made by the data controller;
  •     the isolated and unintentional nature of the breach;
  •     the small number of data subjects affected by the unlawful processing;
  •     the high degree of the cooperation that each data controller carried out with the Italian Data Protection Authority.


The third decision

The third case concerned a Local Health Administration Unit where a patient had explicitly requested the facility to ensure that no third parties, especially including his family members, were informed about his state of health. This request was made on a form included in the medical file.

A nurse at this Local Health Administration Unit, not being aware of the formal request made by the data subject on the absolute confidentiality of his data, called him on the home number recorded in the data controller’s data base and, as she did not find him, she updated about the state of health of the patient, instead of the data subject, a member of his family, thus going against his formal request expressed on the form.

Because of this violation, with the decision n. 36 of 27 January 2021, the Local Health Administration Unit, in addition to the  compensation for damages suffered by the patient, sanctioned this data controller with a pecuniary administrative sanction of 50,000 euros.



In the light of these decisions, in order to promptly manage data breaches in the healthcare sector and in compliance with the data protection laws, it is essential for data controllers to adopt an adequate data breach policy, so as to be able to act promptly and efficiently in the possible event of a data breach, in accordance with the provisions of Article 33 of the GDPR, and by keeping a register of data breaches in which such events are recorded in full respect of the principle of the accountability.

Moreover, it is fondamental for a data controller creating a data protection culture within its staff, by organising periodical training courses in order to make them aware on the correct processing of patient data and on the procedures to be adopted in the event of a data breach; It could be opportune, lastly, preparing ad hoc company policies to minimise the risk of human errors that may lead to a data breach.


Article provided by: Chiara Agostini (RP Legal & Tax, Italy)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.