Hesse: Numerous data protection complaints, breaches in medical practices
The Hessian State Data Protection Commissioner has presented his activity report. According to the report, fines amounting to 545,000 euros were imposed.
(Image: Who is Danny/Shutterstock.com)
The Hessian State Data Protection Commissioner Alexander RoĂźnagel has presented his activity report for 2024. According to the report, a record number of 2141 data protection violations were reported in Hesse, although a high number of unreported cases is to be expected. Fines totaling 545,000 euros were imposed in 47 cases.
Fines for medical practices
Fines were imposed, for example, on medical practices that responded publicly to negative Google reviews of their practice and disclosed sensitive patient or treatment data in the process. Patients were addressed with their real name, among other things, although they had submitted their review under a pseudonym. In other cases, details such as diagnoses, findings, medications, prescriptions or other treatment-related information were published that went beyond what the patients themselves had made public.
Another medical practice was fined for a video camera hidden in a wall clock that was intended to monitor the reception area. "In another medical practice, the practice manager took patient data home with him and stored it there unprotected so that party guests could take note of the data", according to a statement from the data protection authority. The doctor had also exchanged photographs of patient files via WhatsApp.
RoĂźnagel also criticized the use of palm vein scanners to identify blood donors in one case. It was criticized that the blood donation service did not provide alternatives for donors, which one donor had complained about. After RoĂźnagel pointed out to the company "the considerable doubts regarding the voluntary nature of consent to the processing of biometric data", donors can now also identify themselves with an ID card.
According to the report, a ransomware attack on Frankfurt University Hospital in October 2023 was detected and stopped in time before patient data could be encrypted or stolen. The IT infrastructure was then disconnected from the internet, a crisis team was formed and external IT security experts were brought in. As a result, internet services such as websites, email and online orders temporarily stopped working, while internal patient care could be maintained. The university hospital's IT infrastructure was then redesigned and rebuilt.
Data misplacement and open email distribution lists
However, most of the data breaches were associated with the incorrect sending of data and open email distribution lists, as well as the misuse of access rights and cyberattacks. It is striking that cyberattacks on Hessian municipalities have increased. There were 482 reports of cyberattacks on authorities in Hesse: "We analyze and evaluate all reports and try to help limit their damage potential and prevent them from recurring", says RoĂźnagel.
Videos by heise
Microsoft for authorities
RoĂźnagel also held talks with Microsoft regarding the use of Teams in the Hessian state administration. According to this, the data protection-compliant use of Teams is possible if users actively take additional measures. This includes the "early deletion of personal data, which Microsoft does not carry out". A suitable deletion concept could help, which Microsoft should help to implement. However, a final data protection assessment is still pending and will only be carried out after the actual introduction. However, this is only possible after a "concrete design and implementation of this cloud service".
Apps want many rights
In addition, several cases have been documented in which Android apps have demanded an inappropriately high number of permissions or permissions that were not necessary. An online banking app, for example, demanded access to contacts, location or microphone, even though this was not necessary for the actual purpose of the app. RoĂźnagel recommends that developers regularly check "whether functionalities in apps still require the requested permissions or whether these have become obsolete due to program changes or updates". Parent councils should also think about which messenger they use for communication.
In addition, for example, 441 complaints were received in the area of the credit industry, 313 in the area of address trading/advertising, 232 complaints due to video surveillance and one due to the census.
(mack)
