Denmark’s DPA Datatilsynet has reported Medicals Nordic to the police for processing users’ health and other confidential information about their coronavirus tests with inadequate security.
The data protection authority also fined the company DKK600,000 ($95,700, €80,700).
“We take the matter very seriously because it concerns sensitive information,” said Allan Frank, lawyer and IT security specialist at Datatilsynet.
“When you are entrusted with processing citizens’ health information, there is a responsibility to take good care of it, and this has not been done in this case.”
Last January the authority investigated a report Medicals Nordic used a WhatsApp messaging group to transmit confidential data, including social security numbers, about people tested at the four Covid-19 testing centres it operated.
The DPA found employees used their private phones to send the information to the company’s central administration. The set up led to group members receiving all transmitted messages which they did not have a work-related need to process, in Datatilsynet’s opinion.
“Inadequate access control of the groups further meant that employees who were no longer employed were not removed from the WhatsApp group, so they could continue to access the information transmitted in the groups,” the authority said.
After Danish national newspaper BT revealed in January Medicals Nordic’s use of WhatsApp, the company said it would stop using the messaging service.
Missed PrivSec Global’s livestream experience?
No problem, simply CLICK HERE to access the sessions on demand