Examples of Non-Compliance
with Health Data Privacy
Examples of Non-Compliance
with Health Data Privacy
Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.
Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.
For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).
Many thanks to GDPR hub NOYB and to IAPP for all this valuable information!
Australia:
Fact:
24 June 2026: The Australian Privacy Commissioner, the OAIC, found that health service providers Medmate Australia Pty Ltd (Medmate) and Monash IVF Pty Ltd (Monash) interfered with the privacy of individuals whose sensitive information was collected via third-party tracking pixels. The OAIC said that the use of tracking pixels to track website visitors to health-related websites, and to subsequently target them with advertising on social media platforms, amounts to a collection sensitive information for which the website provider must obtain users’ consent and comply with Australia's Privacy Act.
Takeaway:
In all countries globally, organizations must always inform data subjects about a collection and/or a processing of their personal data: the data controller must provide them an information notice explaining the objective, the legal basis, where data will be stored, which subcontractors will process their personal data, if personal data will be transferred outside the country and which security measures are in place. In addition, because there will be targeted advertising, the consent of the patients is required.
Denmark:
Fact:
15 June 2026: The hack-and-leak group FulcrumSec claims to have stolen 1.3TB of data from Novo Nordisk. “The incident affected a limited amount of information related to patients participating in some of our clinical trials,” Novo Nordisk said. Read more: https://www.novonordisk.com/ne...
France:
Fact:
Healthcare platform MesVaccins (MyVaccines) informed its users it experienced a security incident on 15 June 2026, exposing health data of some of its users. The number of patients has not been communicated. Read more (in French): https://frenchbreaches.com/ale...
Takeaway:
We cannot comment as MesVaccins didn't share the cause of the cyberattack.
Fact:
The French Data Protection Authority, the CNIL, fined a IQVIA €5,000,000 for insufficiently anonymising data processed in its pharmacy and medical-record data warehouse, allowing the unwanted identification of data subjects by singling them out. Read more: https://gdprhub.eu/index.php?t...
Takeaway:
It's the second time in a year that the CNIL fines an healthcare data warehouse company for insufficient anonymisation of patient data. Full anonymisation is different from Pseudonymisation (= de-identification) and is a very thorough, elngthy and costly process. Furthermore, a data set might be fully anonymized today, and become reidentifiable patient data 2 years later.
To be sure to have fully anonymized a data base (or a dataset), organizations should send the anonymized database or data set to their local DPA for opinion. And it is ONLY when they have received the greenlight that the organization can proceed and put the data warehouse in production.
Moreover, if the health database contains patient data from several countries, the organization should ask the opinion from the DPAs from ALL THESE COUNTRIES.
In addition, health data warehouses should comply with the guidelines issued by local countries if any.
Germany:
Fact:
The Federal Administrative Court held that the processing of health data by an insurance company offering preventive programs fell under the preventive healthcare exemption in Article 9(2)(h) GDPR. However, the relevant processing lacked a legal basis under Article 6(1) GDPR. Read more or edit on GDPRhub...
Takeaway:
GDPR authorizes the processing of patient data by non healthcare professionals in several situations, and preventive healthcare is one of them.
And every personal data processing must have a valid legal basis, documented in the Registry of Processing Activities ('ROPA').
India:
Fact:
India-based wearable health technology startup Ultrahuman announced hackers breached user wellness data after reportedly using malware to steal an employee's credentials, TechCrunch reports. Company officials told the publication the hackers gained access through an internal tool used to measure analytics and 0.1% of users' data was impacted, which is approximately 700 customers. The company said it took affected systems offline after discovering the breach.
The breach highlights how wellness tracker startups store users’ data on their servers in a way that allows their employees — as well as governments and malicious hackers — to access customers’ health data. Founded in 2019, Ultrahuman sells smart rings and metabolic health-tracking devices that enable users to monitor metrics such as sleep, activity, and recovery.
Takeaway
First, employees should not be able to access health data, even the IT team: to this end, it is a good practice to encrypt all data in transit and at rest.
Second, all staff should attend an annual refresher training on privacy and how to recognize phishing emails.
Italy
Fact:
Italy's data protection authority, the Garante fined the Emirates airline €180,000 ($208,890) for breaches on transparency and data storage limits: the airline retained health data collected via medical forms for seven years, which is clearly excessive and disproportionate.
Takeaway:
Although an airline has a legitimate interest to collect health data from passengers with disabilities, in order to provide them with appropriate assistance, privacy laws in Europe, Brazil, China, Canada, etc. mandate that the airline must inform the data subjects on several points before collecting their personal data: the objective of the personal data processing, which organisations will process their personal data, where will it be stored and hosted, how to contact the Data Protection Officer if any, and the rights the people can exercise on their personal data. These information must be provided in an information notice to every passenger before they start filling the form, and also on the airline's website.
In addition, the airline should keep passenger information only for the duration of the flight, and may be for a few additional months, but 7 years is clearly too much. If Emirates wants to keep the health data for more time, they need to explain in a document why they need so, and which organizational and technical security measures they put in place to protect people's health data. Not doing so is clearly a breach of privacy laws.
Lithuania:
Fact:
The DPA fined a doctor €1,153 for unlawfully accessing the data of over 1,200 patients of Šakiai Primary Health Care Center the doctor worked for, in link with a data breach that had been notified to the Lithuanian DPA. Acting as a controller, the doctor invited the patients to a new medical institution they planned to move to. Read more or edit on GDPRhub...
Takeaway:
Whereas the doctor has a legitimate interest to inform his/her patients that he/she will be leaving the medical center,
he/she should have done this in a transparent manner to the medical center.
Because the doctor didn't inform the medical center in advance, the latter thought it was victim of a data breach and notified the local DPA.
In addition to breaching the GDPR, the doctor probably breached the non compete rules of his country.
United States:
Fact:
In March 2026, Iranian hackers launched a Cyberattack on US medical device giant Stryker. The hackers did break in and remotely wipe tens of thousands of employee devices in one fell swoop, causing widespread disruption to the company’s operations for several days. Read the Techcrunh article here: https://techcrunch.com/2026/03...
The breach ended up having a material impact on Stryker’s first-quarter earnings after regaining control of its systems, read in the HIPAA journal here: https://www.hipaajournal.com/s...
Takeaway:
We cannot comment as the root cause of the cyberattack iwas not disclosed.
Fact:
A U.S. Veterans Affairs Office of the Inspector General report found that providers in VA clinics across the U.S. are using AI tools for patient care and documentation despite the Veterans Health Administration not establishing oversight and safeguards for the use of the technology, GovInfoSecurity reports. It also found that, over a 90-day period between October 2025 and January, more than 15,000 VA staff used VA GPT or Microsoft Copilot Chat, which may have had access to patients' medical information. Read more here: https://www.govinfosecurity.co...
Takeaway:
It is extremely important that employees comply with their organisations' guidelines in terms of AI. Also, it's good practice among life science companies to develop their own AI which are fed by their chosen data: when employees use such 'corporate AI', they work in closed circuit with no risk to see their requests be used outside of the organisation.
Fact:
US Healthcare technology company Xsolis, Inc. was targeted by a cyber attack affecting the Protected Health Information of nearly 1.4 million individuals. Read more: https://www.securityweek.com/x...
Privacy News
from around the Globe:
Global:
ICH M11: Clinical Electronic Structured Harmonised Protocol (CeSHarP): The Expert Working Group issues final overview presentation. Read more here: https://www.ich.org/news/ich-m...
Estonia:
Estonia's Prime Minister Kristen Michal announced the country will grant AI agents digital identities in order to identify the company or individual it is carrying out tasks for. Read Euractiv article here: https://www.euractiv.com/news/...
European Union:
Digital omnibus:
On 16 June 2026, the European Parliament gave its final approval to the amendment of certain rules within the EU’s as part of the digital omnibus package.
The legislation postpones the application of certain parts of the AI Act to ensure that the necessary standards and support measures are in place. Obligations on high-risk AI systems will apply:
The law also delays the application of watermarking obligations on AI-generated content until 2 December 2026. By this time, AI-generated content will have to be labelled in a machine-readable way to increase transparency.
Before the law can enter into force, it still needs to be adopted formally by the Council. Most of the provisions of the AI Act will start to apply on 2 August 2026.
Discover all the details in the press release here .
EDPB:
On 10 June the EDPB adopted common data breach notification template; read more here: https://www.edpb.europa.eu/new...
Code of Practice for labeling AI-generated content:
On 10 June 2026, the EU Commission published its Code of Practice on marking and labelling AI-generated content. Read more here: https://digital-strategy.ec.eu...
Tech sovereignty package:
On 3rd June 2026, the EU Commission released its tech sovereignty package to strengthen Europe's digital autonomy and resilience. The package contains four different documents: the Chips Act 2.0, the Cloud and Artificial Intelligence Development Act ('CADA'), an Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy. Read the press release here: https://ec.europa.eu/commissio...
United Kingdom:
The U.K. Data (Use and Access) Act's data protection compliant obligations have gone into effect, requiring organizations to implement measures to accept complaints from individuals and address concerns within 30 days.
The ICO shared the guidances they plan to work on in the future to reflect the DUAA amendments. Key ones are:
See the list of future guidances: https://ico.org.uk/about-the-i...
On 11 June 2026, the ICO released its guidance on consumer Internet of Things (IoT) products and services
United States:
Federal
On June 2nd, 2026, the US White House released executive order 14409 on Promoting Advanced Artificial Intelligence Innovation and Security. The latest version of the order asks companies to voluntarily submit models to the government for testing 30 days before they are released publicly. Originally, the administration had asked for 90 days. Read more here:https://www.whitehouse.gov/pre...
Then on June 4th, the Cybersecurity and Infrastructure Security Agency (CISA) said it plans to release a directive to federal agencies detailing actions required to carry out the president’s artificial intelligence executive order
Louisiana
Governor Landry signed the Louisiana Data Privacy Act (LDPA) (SB 386) on May 29. The LDPA applies to businesses with gross revenues exceeding USD25 million, that annually buy the personal information of more than 75,000 consumers or that derive more than 50% of its revenue from selling personal data. The law enters into force 1 Jan. 2027. Read more here: https://fpf.org/blog/privacy-b...
Vermont
Vermont becomes 23rd state to enact consumer privacy law. The law applies to data controllers or processors that handle the personal data of more than 35,000 state residents, those processing the sensitive personal data of at least 3,000 state residents or those selling personal data of at least 3,000 residents. Read the text of new law here: https://legislature.vermont.go...

: personal data must be fully anonymized before they can be sent abroad.:
Dear Sir/Madam,
Thank you for contacting us.
We will get back to you as soon as possible.
Best regards,
PharMarketing