GDPR Enforcement in Life Science & Healthcare
Deep dive into relevant data protection enforcement cases and insights for life science and healthcare
To date, DPAs from 27 different countries have imposed 237 fines (+35 compared to the 2024 ETR) totalling approximately EUR 22.8 million (+EUR 6.3 million compared to the 2024 ETR) for data protection violations by hospitals, pharmacies, physicians and medicine suppliers. The number of new fines issued in 2024 in the health care sector is 17% lower than compared to the previous reporting period. This means that the halt in the strong growth in the number and sum of fines, which was already apparent in the last two years, continues.
The most common reason for fines was the lack of sufficient technical and organisational measures (TOMs), with a total number of 83 fines (+12 compared to the 2024 ETR) and a total volume of EUR 16.3 million. With an average of EUR 203,423 per fine, TOM fines in 2024 are exorbitantly higher than in the previous year (EUR 17,500). In contrast to the previous year, in which no exceptionally high fines were imposed, and the highest fine was EUR 81,000, in 2024 a seven-figure fine of EUR 3.2 million was imposed.
Regarding the countries from which the fines originated, Italy again takes the lead with 87 fines issued in 2024. The runners-up are Germany with 25 and Spain with 23 fines issued.
Let's take a closer look
- The biggest health care case in 2024 (ETid-2449) originated in Sweden with a fine of EUR 3.2 million. The data controller, a pharmacy, had used so-called metapixels on its website, which, due to incorrect settings, resulted in customers' personal data being transmitted to Meta. The data controller had used the tool to improve its marketing on Facebook and Instagram, without intending to transmit the data. During its investigation, the Swedish DPA found that the controller had failed to implement appropriate technical and organisational measures for the protection of personal data to avoid such an incident. In a similar case (ETid-2450), it fined another controller EUR 698,000 for the same breach.
- The French DPA (CNIL) has imposed a fine of EUR 800,000 (ETid-2542) on a company which publishes and sells management software for general practitioners working in surgery and health centres. The company had transferred customer data to its customers for research purposes without authorisation and without proper anonymisation. The data was used to carry out studies and produce statistics in the health sector. The data did not contain any names or immediately identifying information. However, the authority found that the data were not anonymous, but merely pseudonymous, since it was technically possible to re-identify the data subjects.
- Cybersecurity continued to play a major role in 2024. The following cases from Belgium, Poland and Croatia serve to show the importance of sufficient TOMs.
In the first case (ETid-2521), the Belgian DPA (APD) fined a hospital EUR 200,000 for suffering a ransomware attack through a server vulnerability. This paralysed parts of its computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment and did not have an adequate information security policy. It had also failed to implement appropriate TOMs, such as employee training and a process for updating its IT equipment.
In the second case (ETid-2428), the Polish National Personal Data Protection Office (UODO) fined a company EUR 336,000. The company also suffered a ransomware attack resulting in the loss of personal data because it had not taken appropriate TOMs to protect personal data, thereby allowing such an attack to occur.
In the third case (ETid-2494), the Croatian DPA (azop) issued a fine to a hospital in the amount of EUR 190,000 for the irrevocable loss of radiological image files. The respective hospital had failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made.
- The Italian DPA (Garante) had issued several fines for data protection violations relating to email. In one case (ETid-2245), the Garante imposed a fine of EUR 300,000 on a medical technology company that manufactures medical devices for monitoring, preventing and treating various diseases. The controller had sent emails to hundreds of individuals using its app to measure blood glucose levels, making email addresses visible to recipients, allowing some to draw conclusions about diabetes. The controller also failed to adequately inform data subjects about the processing of their personal data.
In another case from Italy (ETid-2408), the Garante issued a fine of EUR 8,400 against a company that sent an email containing information on medical treatment plans to several patients in an open distribution list, which allowed all 44 recipients to see each other's email addresses.
For inadvertently sending health data to the wrong recipient (ETid-2268), the Garante issued a fine of EUR 18,000 to a healthcare institution.
