Data breaches in healthcare due to human errors: two hospitals and a Local Health Administration Unit sanctioned by the Italian Data Protection Authority


Data breaches are violations of database security that may result not only from cyber attacks, as it is usually assumed, but also from human errors committed by persons who, under the direct authority of the data controller or the data processor, are authorized to process personal data. The absence of corporate procedures for the proper handling of patient data within a healthcare facility throughout their lifecycle or the inadequacy of these policies to cover all possible cases, in particular, can lead to material errors being made by the staff, such as the communication of patient's data to persons other than the data subject or to unauthorised persons. Such breaches in the health sector have a potentially very serious and detrimental impact on the rights of data subjects, given the special nature of the data processed, which consist of information on a person's state of health. This issue has been the subject of three recent decisions of the Italian Data Protection Authority which are briefly described in this news.

The first two decisions

The Italian Data Protection Authority, in the decision n. 29 of 27 January 2021, imposed an administrative sanction of euro 10,000 on a hospital for having sent by post, to the wrong patient, a medical report containing information on the health and sex life of two persons as well as information on the health of their family members.

For the same amount, the Italian Data Protection Authority sanctioned a hospital with the decision n. 30 of 27 January 2021 for having delivered to some patients medical records and reports referring to other persons.

In both cases, in determining the amount of the pecuniary sanction, the Italian Data Protection Authority took into account:

  • the knowledge of the breach following the data breach notification made by the data controller;
  • the isolated and unintentional nature of the breach;
  • the small number of data subjects affected by the unlawful processing;
  • the high degree of the cooperation that each data controller carried out with the Italian Data Protection Authority.


The third decision

The third case concerned a Local Health Administration Unit where a patient had explicitly requested the facility to ensure that no third parties, especially including his family members, were informed about his state of health. This request was made on a form included in the medical file.

A nurse at this Local Health Administration Unit, not being aware of the formal request made by the data subject on the absolute confidentiality of his data, called him on the home number recorded in the data controller’s data base and, as she did not find him, she updated about the state of health of the patient, instead of the data subject, a member of his family, thus going against his formal request expressed on the form.

Because of this violation, with the decision n. 36 of 27 January 2021, the Local Health Administration Unit, in addition to the  compensation for damages suffered by the patient, sanctioned this data controller with a pecuniary administrative sanction of 50,000 euros.



In the light of these decisions, in order to promptly manage data breaches in the healthcare sector and in compliance with the data protection laws, it is essential for data controllers to adopt an adequate data breach policy, so as to be able to act promptly and efficiently in the possible event of a data breach, in accordance with the provisions of Article 33 of the GDPR, and by keeping a register of data breaches in which such events are recorded in full respect of the principle of the accountability.

Moreover, it is fondamental for a data controller creating a data protection culture within its staff, by organising periodical training courses in order to make them aware on the correct processing of patient data and on the procedures to be adopted in the event of a data breach; It could be opportune, lastly, preparing ad hoc company policies to minimise the risk of human errors that may lead to a data breach.


Article provided by:Chiara Agostini (RP Legal & Tax, Italy)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.