The Swedish SA has initiated an audit of Region Dalarna after receiving complaints that the region had printed appointment letters to patients where the healthcare facility to which the visit refers was fully visible in the window envelope.
The Swedish DPA has concluded that the processing of personal data in the current case is partially automated and that the data protection regulation is applicable. The use of window envelopes when sending appointment letters from the clinics covered by the audit, where the current care facility was visible in the window envelope, means that sensitive personal data has been disclosed without authorization for an unknown number of people who came into contact with the letter. This refers to about 2,500 letters per year, including to a children's and youth medicine clinic and a therapy clinic for children and young people.
– This means that sensitive personal data about the patient has been available to, for example, the person who delivers the mail, the person who lives with the recipient and the person who received a letter that was delivered to the wrong address. The data has therefore not been adequately protected, says legal advisor Maja Welander, who led the audit.
The health care board in Region Dalarna states that it has procured a service for sending appointment letters where it should not be clear from the envelope which clinic a letter regarding a healthcare visit refers to. After IMY began its audit, however, the board carried out an investigation which showed that the service in question did not cover all appointment lettersand that letters from certain care facilities were therefore sent in envelopes showing which clinic the visit referred to.
The Swedish DPA states in its decision that the region has not taken sufficient security measures to protect sensitive personal data against unauthorized disclosure in connection with the sending of physical invitations to certain healthcare visits within the region. The authority therefore issues an administrative sanction of SEK 200,000 against the region for breach of the data protection regulation.