Archibishop Makarios Hospital hit with a €5.000 fine by the Cyprus Commissioner

Archibishop Makarios Hospital hit with a €5.000 fine by the Cyprus Commissioner for losing a patient’s medical records

A patient submitted a complaint to the Cyprus Commissioner after her request for the exercise of the right of access to her medical records was not met by the Archbishop Makarios III Hospital as her file could not be located.

After investigation of the complaint by the Commissioner and announcement of the prima facie violation of GDPR on 30/7/2018, an administrative fine of €5.000 was imposed on the hospital on 7/11/2018 for loss of patient medical records.

According to the Commissioner’s decision, the following factors had been taken into account to reach her decision:

1. The measures previously taken by the hospital to improve protection of patients' medical records  (e.g. initiation of medical records handling system, electronic storage of patients’ X-rays, scheduled recording of lost files in the computerized system, establishment of measures and levels of accessibility, no remote access (from computers outside hospital) in the system and placement of signs indicating that it is strictly forbidden for patients to hold their medical records while at the hospital);
2. the fact that there had been prior decision against the hospital for breach of data protection laws in relation to patients’ medical records;
3. the fact that sensitive data were contained in the patient’s medical records.