The Swedish DPA, Datainspektionen, announces that it has completed its review of eight care providers’ medical record systems. During their supervision, they have found major shortcomings in the access management and also in functions for logging. Datainspektionen also expresses sharp critics for the shortcomings in the risk analysis required for handling sensitive personal data.

– Caregivers must make a careful analysis and assessment of what staff’s needs are for information in the medical record systems and what risks there are if staff have access to patient data. Without such an analysis, care providers cannot assign the staff the right access, which in turn means that the operations cannot guarantee patients the privacy protection they are entitled to, says Magnus Bergström, who is the coordinator for the eight reviews.

In seven of the eight cases, the deficiencies are so serious that Datainspektionen gives fines totaling €6 770 912.

Karolinska University Hospital SEK 4,000,000.

Sahlgrenska University Hospital SEK 3,500,000.

Region Västerbotten SEK 2,500,000.

Östergötland Region SEK 2,500,000.

Aleris Healthcare SEK 15,000,000.

Aleris Local Health Care SEK 12,000,000.

Capio St Göran SEK 30,000,000.

The maximum fine for the public sector in Sweden is SEK 10 million, while private companies can be fined a maximum of 4% of their annual turnover or 20 million Euros.

The fines imposed above approach the maximum amounts, which is justified by the seriousness of the deficiencies discovered.

In addition to this, there is of course the damage to the brands of the affected companies and organizations.

A medical record system consists of a large amount of unstructured data and without sufficient documentation and information control over this data, correct access management becomes impossible.

Datainspektionens decision once again shows that control is a prerequisite for correct access management and every organization that process personal data should obtain this control immediately.

We repeat our recommendation to organizations to immediately make an inventory and document all processing of personal data, to enable both relevant authorization management and long term governance.

Read more here: