The Italian Data Protection Authority imposes fine on a Local Health Authority (ASL) for irregularities in handling medical records

With decision No. 97 dated February 22, 2024, the Italian Data Protection Authority (or the “Authority”) imposed a fine of € 75,000.00 on a Local Health Authority (ASL) for irregularities in handling the electronic health record. The investigations stemmed from several reports concerning improper access to personal data through the healthcare organization’s storage and reporting system. Specifically, there were numerous accesses to the record by personnel not involved in patient care, including administrative staff. A famous case involved an ASL employee who accessed her ex-husband’s laboratory tests without authorization.

The Authority’s inspections revealed that the record management system allowed healthcare operators to manually enter the reasons for access, thus violating the Authority’s guidelines of June 2015. These guidelines stipulate that access should be restricted to personnel directly involved in patient care.

Additionally, the ASL failed to implement an alert system to detect anomalous or risky behaviors related to dossier access. In addition to the fine, the Authority ordered the ASL to adopt technical and organizational measures to ensure data security and prevent future unauthorized accesses.