The Italian DPA announced a EUR 50,000 fine for a health-related data breach


On 19 February 2021, the Italian DPA (“Garante”) published its decision to fine the local health authority of Emilia Romagna with EUR 50,000 for failing to implement appropriate technical and organizational measures to ensure the security of personal data.

Following the investigation, Garante found that after a patient had explicitly requested – by signing a specific form – that no third party or family member be informed about their state of health, a nurse called the home number, instead of using the patient’s private cellphone, thus disclosing the said health-related data to the patient’s family members.

The full press release is available here, and the decision is available here (both only in Italian).