Yesterday, the District Court of Reykjavík decided on case no. E-2571/2024. The case was taken to court because of the DPA's decision, dated 27 June 2023 (case No. 2020061844), due to security weaknesses on the website Heilsuvera, which was initiated following a notification from the Directorate of Health to the DPA about a security breach when two individuals had been able to open unrelated data.

It was found that on the one hand, registered users in the pregnancy care section of Heilsuvera, who had access to a scan from either Sudurnes Hospital & Health Center or The Healthcare Institution of South Iceland, could change the parameters in the URL and thus open other individuals’ connections in the health register system of the institution in question. The defect in the system had presided since 2015 until 8 June 2020. It was known that there were about 200,000 connections of over 40,000 individuals, e.g., scans, heart and brain graphs, nurse letters and ambulance reports, and the patient’s personal identifiers were used for the labeling of data.

In the same case, all registered users in the Heilsuvera message section could see an unrelated communication by changing the URL. The standard form of communication in the message section did not allow for patient identification, but nevertheless, the messages could, as applicable, be identifiable, e.g. when the person had written therein rare first names, ID numbers or phone numbers. It was then known that the defect in question was in the system from 28 March 2019 to 8 June 2020.

The Data Protection Authority considered it clear that the security of personal data had not been adequately ensured, as the requirements for regular safety tests had not been complied with. Certain points were evaluated for improvement, including the security measures that were carried out at Heilsuvera in other respects. However, other points were assessed as burdensome, and these include the sensitive nature of the information, the number of the records and the length of the period that the security weaknesses were protected. The Data Protection Authority also referred to materially incorrect and misleading explanations received from the Directorate of Health in regards to the identification of the abovementioned hangers in health records systems and in the light of this and other issues a fine of ISK 12,000,000 was imposed.

In connection with the amount of the fine, the District Court examined the wording of the provision that the Data Protection Authority considered to be significant in terms of deficiencies in the explanations given to the DPA. It agreed that this aspect of the case should be taken seriously. However, it considered that the wording of the provision, which the DPA referred to in that connection, did not place special emphasis on cooperation with the DPA in the investigation of an issue as such but on the improvement of an infringement and reducing its adverse effects.

With reference to this and other factors, which the District Court considered to be significant in the case, the fine was reduced to ISK 8,000,000. Otherwise, the claims of the Directorate of Health were rejected and the decision of the DPA in that respect confirmed.