Data Protection Authorities published several decisions related to the processing of health data in the past months.

Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.

For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).

Many thanks to GDPR hub NOYBand to IAPP for all this valuable information!

Australia:

Fact:

Australia's Federal Court fined the parent company of MedLab Pathology for violations of the Privacy Act stemming from a 2022 data breach that compromised the personal information of more than 223,000 patients. Australian Clinical Labs was fined AUD5.8 million after investigators found ACL's senior management was involved in the decision-making for integrating MedLab's IT systems into ACL's core environment and whether the hack constituted an eligible data breach, as well as its "failure to act with sufficient care and diligence in managing the risk of a cyberattack" on MedLabs.
Full story

Takeaway:

As mentioned in previous Newsletters, it is key that senior management is informed and associated with decisions related to IT security, cybersecurity and privacy. ACL and MedLab should have implemented the security measures recommended by Australia's IT security agency.

Canada:

Fact:

An Otter.ai bot used by an Ontario hospital staff member as a meeting transcription tool allegedly collected and shared patients' sensitive health information with 65 individuals, including 12 former employees, The Globe and Mail reports. The Privacy Commissioner of Ontario urged the hospital to ask Otter.ai to delete the transcription data and address its security safeguards.
Full story

Takeaway:

Staff should only use softwares that have been tested and vetted by their IT department.

Greece:

Fact:

The DPA held that in the case of a complaint against a medical doctor, who had allegedly accessed medical files without authorization, which was later withdrawn, his failure to cooperate with the DPA still justified issuing a reprimand. Read more or edit on GDPRhub...

Takeaway:

The GDPR states that you must have a valid legal basis to access/process personal data of people. In addition, the healthcare law states that only healthcare professionals who are member of the care team can access a patient's personal data.

Italy:

Fact:

The Italian DPA fined the local health authority of Ferrara €20,000 for a failure to implement appropriate security measures allowing coworkers to access and further disclose the medical file of another employee after they became a patient of the hospital. Read more or edit on GDPRhub...

Takeaway:

As said in previous Newsletters, all organizations must put in place Technical and Organizational Security measures.

Poland:

Fact:

The DPA fined a medical center €9,000 for failing to report a personal data breach to the DPA and to notify the affected data subject without undue delay. The data breach involved the transmission of sensitive data to an incorrect recipient. Read more or edit on GDPRhub...

Takeaway:

A serious data breach must be notified to the local Data Protection Authority within 72 hours, weekends and public holidays included.



Spain:

Fact:

The DPA fined a medical clinic €30,000 for violating Article 5(1)(f) GDPR by exposing clients’ phone numbers and health data in a messaging group without adequate confidentiality measures. Read more or edit on GDPRhub...

Takeaway:

As said above, organizations must put in place Technical and Organizational Security measures.

USA:

Fact:

CarePro Health Services a home healthcare services based in Iowa, will pay USD1.3 million to settle a class-action lawsuit over a cyberattack that breached the data of 151,499 individuals, The HIPAA Journal reports. The lawsuit alleged the company's inadequate safeguards allowed an unauthorized third party to obtain individuals' sensitive personal data including Social Security numbers and financial information.
Full story

Takeaway:

Healthcare providers should implement the technical and organizational security measures recommended by their country's National IT Security Agency, the for the the USA. the National Institute of Standards and Technology (NIST)

Fact:

In July 2025 Illumina Inc., a leading manufacturer of genomic sequencing systems, agreed to Pay $9.8M to Resolve False Claims Act Allegations Arising from Cybersecurity Vulnerabilities in Genomic Sequencing Systems
Read more: https://www.justice.gov/opa/pr...

Takeaway:

This case is interesting because no data breach had happened, but the softwares used by Illumina contained several vulnerabilities to cyberattacks. So, as mentionned above, it is important to apply the principles of the NIST, and also here to do a thorough computerized system validation and check that the software complies with the medical device regulations.

Fact:

The U.S. Department of Health and Human Services' Office for Civil Rights reached a settlement with Cadia Healthcare Facilities over alleged violations of the Health Insurance Portability and Accountability Act. The health care provider was alleged to have disclosed a patient's name, image and information while posting about their recovery efforts on a company blog post. The company had done so without obtaining authorized permission from the patient and 150 others who had also been featured on the website.

Read here: HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information | HHS.gov

Takeaway:

You should always ask for the consent of people before posting images, videos or information about them on the Internet. 

In line with Asia pacific personal data protection laws, after South Korea, China and Singapore in particular, Vietnam is also strengthening its legislation with additional binding needs to protect data processing and further secure data transfers outside the country.

On June 26, 2025, Vietnam enacted Law #91/2025/QH15 on Personal Data Law ("PDPL"), which will come into force on January 1, 2026, reinforcing the initial Decree #13/2023/ND-CP ("PDPD") to protect the personal data and privacy of its citizens or residents of Vietnam.

This decree aims to strengthen certain modalities; in particular, to clarify the organization’s that must apply this new law, the penalties incurred in the event of a breach of this law being up to 5% of turnover and also to specify certain specific obligations, in particular the regulatory requirements in the event of the processing of so-called sensitive data and/or international transfers; the goal being to get a little closer to these neighboring countries in Asia while keeping some localities specific to Vietnam.

Among the similarities observed with the above-mentioned countries, the need to obtain explicit consent from individuals including separately consent for the transfer of data outside the territory, two particular criteria expressed in a similar way to China and the PIPL/CBDT, which is a notable difference with Chapter V of the GDPR which offers us other alternatives in the EU.

The Vietnamese PDPL does mandate a data transfer impact assessment (DTIA equivalent of our EU GDPR) as well as the data processing impact assessment (equivalent to our DPIA of our EU GDPR) whenever sensitive data is processed. The main difference resides with the fact that DPIA must be submitted to the local supervisory authority (similarly to China and PIPL/CBDT).

Vietnamese law also goes further, stipulating some deadlines to be respected for this submission to local authorities as well as the notion of periodic reviews of these impact assessments (DPIA and DTIA) in very specific scenarios.

Also, it follows through its new compliance criteria, that each organization will need qualified people and will have to constitute a "personal data protection forces" to fully guarantee the protection of personal data in this country.



This PDPL is certainly a major step forward in strengthening the data protection of citizens/residents in Vietnam and follows in a perfectly logical way this regional integration in Asia Pacific and internationally, making the protection of personal data a little more complex at the global level.

A question? Contact our senior consultant Karine Renault at k.i.renault@pharmarketing.net