Uppsala regional board

Description

The Swedish DPA has imposed a fine of EUR 28,500 on the Uppsala regional board. The fine is the result of an investigation of the Uppsala region (the regional board and the hospital board). The DPA had received two reports of incidents involving personal data from the Uppsala region. The incidents involved sensitive personal health data that had been transferred unencrypted to recipients inside and outside Sweden. The regional board had transmitted sensitive personal data and personal identity numbers via email. The actual transmission of the emails was encrypted, but the information in the emails was not. The emails in question contained patient data that was automatically sent to the appropriate health administrators in the region, as well as patient data that was manually sent to researchers and physicians in the region. For this reason, the DPA found that the regional board had not taken adequate technical and organizational measures to protect the data from unauthorized access, for example.