Sanction HM Hospitales for not implementing adequately security measures

In August 2022, a complaint was filed by D. A.A.A. against HM HOSPITALES 1989, S.A. (HM) with the Spanish Data Protection Agency (AEPD). The complaint highlighted various security deficiencies in the management of patient data by HM's software "Doctoris" (no audit of this software was carried out in the last three years because this software was subject to constant changes and improvements). The system, developed and maintained by TRC INFORMÁTICA, S.L., handles a wide range of sensitive data, including patient records, clinical experiences, and laboratory information. The AEPD initiated an investigation, and it found that HM had violated Article 32 of the GDPR, which mandates the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The deficiencies identified included the lack of robust encryption, inadequate measures for ensuring data confidentiality and integrity, and the absence of regular audits to verify the effectiveness of security measures. 

On August 29, 2023, the AEPD decided to impose a fine of €200,000 on HM HOSPITALES for the infringement of Article 32 of the GDPR. The decision took into account the negligence in implementing adequate security measures, the large scale of data processing, and the sensitive nature of the data involved.