Denmark’s DPA fines the Region of Southern Denmark for failing to securing psychiatric data of 30,000 children

Denmark’s DPA, Datatilsynet has fined the Region of Southern Denmark DKK 500,000 for failing to comply with required security requirements to protect a database containing psychiatric information of more than 30,000 children from unauthorized access.

For more than one and half years, the Region of Southern Denmark had a database for research and clinical purposes which they failed to secure adequately against unauthorized access to PDF documents in the database by simply changing a URL. Citizens who were registered in the database or had a login to the database could access personal information including questionnaires containing health information on more than 30,000 children associated with psychiatry.

The issue was brought to the notice of the Authority by a citizen in 2020 and shortly after the region reported the matter as a breach of personal data security to the Authority. It is believed apart from the database has not been exploited by anyone other than the citizens who were registered.