Personal data breach at the National Center of Addiction Medicine – Administrative fine
On 5 March 2020, the Icelandic Data Protection Authority (DPA) took the decision to impose an administrative fine of ISK 3.000.000 (EUR 20.643) on the National Center of Addiction Medicine in a case relating to a personal data breach.
The National Center of Addiction Medicine is an NGO that operates a detoxification clinic and four inpatient and outpatient rehabilitation centers, as well as a center for family services and a social center in Iceland. Its services are delivered by a staff of medical doctors, psychologists, registered nurses, nurse practitioners and licensed counselors.
The breach occurred when a former employee of the National Center of Addiction Medicine received boxes containing what were supposed to be personal belongings that he had left there. However, it turned out that the boxes contained patient data as well, including health records of 252 former patients and records containing the names of approximately 3.000 people who had attended rehabilitation for alcohol and substance abuse.
After carrying out an investigation of the data breach, the DPA concluded that the breach was a result of a lack of implementation of appropriate data protection policies and appropriate technical and organisational measures to protect the data by the controller. The lack of appropriate measures to protect the personal data therefore constituted violations of, inter alia, Art. 5(1)f and Art. 32 of the GDPR.
When determining the fine, the DPA referred to the nature of the personal data involved in the breach, which were data concerning health, and the large scope of the processing. The DPA also cited the nature of the National Center of Addiction Medicine as a non-profit health care provider and the fact that the Center had made considerable efforts to improve handling of personal data, beginning before the breach came to light.