Denmark’s data protection authority, Datatilsynet, is recommending a financial penalty against the Central Jutland region for failing to ensure a sufficiently high level of security in storing patient records at the regional hospital in Horsens.

The authority fell foul of privacy laws because the covers of some of the 100,000 physical patient records could be seen by passers-by through a building’s clear, unfrosted window. The information visible included the patient’s name and social security number.

Though it accepted access was unintentional, Datatilsynet found that Central Jutland region had not established appropriate safeguards for storage of the personal data.

“That all employees and patients who were at the hospital have had access to an archive of approximately 100,000 patient records is a serious mistake which should have been discovered earlier,” head of data information Frederik Viksoe Siegumfeldt said. 

Datatilsynet is recommending a fine of DKK400,000 ($63,500, €53,800).