Turkey’s Personal Data Protection Board (“Board”) in its latest ruling numbered 2020/407, examined a data breach notification made by a data controller hospital (“Hospital”).

 Data Breach Notification

In the data breach notification made by the Hospital to the Board, it was stated that patient files were taken out of the Hospital archives by some Hospital personnel under instruction of a doctor working in the  Hospital, and the violation was fully determined as a result of the examination of the camera records seventeen days after the breach was first noticed.

Additionally, it was stated that in addition to identity, contact, health information and genetic data of 789 patients, patient file anamnesis content was also affected. In this context, the data affected from the subject breach was provided as TR ID number, name, surname, father's name, mother's name, social security number, private insurance, contracted health care provider , organization of the employer, nationality, date of birth, gender, marital status, blood type, profession, tax office, tax number, address, zip code, e-mail address, home phone number, work phone number, mobile phone number, insurance status, retirement status, policy number, disability status, employee name, doctors who provided treatment to the patient and their branches, drugs used, habits, allergy history, family history, psychological state, findings, laboratory tests, pre-diagnosis, diagnosis, treatment and care plan, previous diseases, surgeries, etc

The Board’s Approach

The Board before issuing its ruling stated that the loss of patient files could not be prevented, indicating that adequate measures were not taken to reduce the risks of loss of patient files.

The Board also stated that as data is affected by the breach, many personal data belonging to data categories such as identity, contact, location, personal data, genetic data, health data and sensitive personal data considered that it is an indication that data subjects are likely to be exposed to significant adverse impacts.

In addition, the Board evaluated that the Hospital did not provide adequate training to the employees on personal data protection, although the former employees had received training on the protection of personal data.

The Board also evaluated that the detection of the violation after seventeen days despite the existence of events that raise the suspicion of violation is an indication that the personal data security policies and procedures are not well prepared or followed by the data controller Hospital, and that the existing security measures are not implemented effectively.

Further, the Board stated that the current situation shows that adequate administrative measures were not taken to ensure unauthorized persons to not enter the archive room where patient data and recordings are kept.

Finally, the Board has evaluated that due to the fact that the existing data security measures of the Hospital are not well prepared or cannot be implemented, the measures to detect and prevent the subject breach could not be taken in a timely and sufficient manner.

Consequently, the Board decided to impose an administrative fine to the Hospital also taking into consideration that the breach was notified to the Board twenty five days after the detection of the violation and was not reported to the relevant parties.

Esra Temur, Simge Kılıç