Commissioned by Hels Sour-Est, Hels West and Hels Nord, Unilabs analyzes hundreds of thousands of X-ray examinations each year.
Yet X-ray giants failed to inform health authorities and patients that since 2016 a total of more than 170,000 tests have been examined at a clinic in Romania.
The hidden deal was terminated after NRK exposed the practice in February.
Now the Norwegian Data Protection Authority confirms that it will open a supervisory case on the matter.
– Based on what has emerged, we see the need for more information regarding the provision of services to Romania and what assessments have been made regarding the protection of personal data in relation to that, says Susanne Lai, Special Director at Norwegian Data Protection. Authority.
Susanne Lye, subject director at the Norwegian Data Protection Authority.
Photo: Bjørn Olav Nordahl / NRK
A risk assessment should be carried out
Two radiologists with Norwegian accreditation work in a Romanian clinic. In addition, NRK, Norway said at least 16 people accessed Unilabs’ internal systems without authorization.
About 600,000 examinations of Norwegian patients are registered here annually.
Several Unilabs patients have contacted NRK, now wondering if their radiological images, patient history and other sensitive information were shared with unauthorized healthcare workers in Romania.
As required by law, before services are outsourced to subcontractors, risk and vulnerability analysis must be done.
Unilabs never told Hels Sour-Ost, Hels West and Hels Nord about the Romanian clinic, saying the healthcare organizations could not assess the risk of patient information being publicly shared with at least 18 people in Romania.
Malgorzata Agnieszka Cyndecka, a privacy expert and lawyer at the University of Bergen (UiB), reacts to the revelations in the case.
– By not carrying out a risk assessment, you will never know if you are complying with the requirements GDPR Sindeka explains the poses, and how to break the rules.
Malgorzata Agnieszka Cyndecka is Associate Professor and GDPR expert at the University of Bergen.
Photo: Kim E. Andreassen, University of Bergen
He points out that the clinic in Romania is also responsible for complying with the requirements set by the GDPR. Sintecca believes Unilabs is liable for violating privacy regulations because they never told healthcare companies about the Romanian clinic.
– I think it would be interesting to know how long Unilabs has been doing this and if they have ever been familiar with privacy regulations and read GDPR. Article 28GDPR expert says.
Violations of the Personal Data Act can lead to higher charges. In recent years, the Norwegian Data Protection Authority has on several occasions issued fines worth several million kroner.
Also read: Anger against Unilabs after hidden Romania deal
– betrayal
Misunderstanding privacy requirements and health laws can have negative consequences for individual patient health care, the Ministry of Health and Care Services said in a statement. Circular in 2019.
Areas of greatest risk of patient safety failure include the flow of information within and between health services.
Head of Department at NTNU is Nils Kalstad He specializes in information security and has read with interest NRK’s articles about the Unilabs clinic in Romania.
– Breach of trust in the individual patient and breach of compliance in the supply chain appear to be the biggest challenges from an information security point of view, says Kalstad, who insists that this matter is only known from the media.
NTNU’s Nils Kalstad in the Department of Information Security and Communication Technology
Photo: Knut Rosrud
Professor Johann Gustav Bellica at UiT The case is considered serious, and Norwegian says personal safety is important in health.
– Maintaining confidentiality is fundamental to the trust between the patient and health care workers. If patients ignore their health through IT systems, how can they trust the healthcare system, says Bellica.
The Norwegian Health Authority is asking Unilabs for an explanation
Further Norwegian Health Authority Curious about how Unilabs handled privacy and information security in this case.
– The Norwegian Health Authority will ask Unilabs for an explanation of the risk and vulnerability assessments they used when choosing the specified solution. Unilabs should also document current procedures and contracts. Based on this, we will decide whether further surveillance is required, he said Department Director Ingrid Herstad Nygaard to NRK.
X-rays from Unilabs departments in Norway were examined by doctors in Romania.
Description: Mari Grafsrønningen
Hell’s Sour-East informed both the Norwegian Health Authority and the Danish Data Protection Authority about the use of Unilabs Norwegian radiologists in Romania.
NRK asked Babar Kasi, Managing Director of Unilabs Norway If there is access to radiologists in Romania Everyone Investigations into the internal systems of Unilabs Norway. But Kasi does not want to answer NRK now because the Norwegian Data Protection Authority has opened a case on the matter.
Kashi responded in an email to NRK The following are:
– We are also aware that Unilabs has received an inquiry from the Norwegian Health Authority requesting information on this matter, and that the Norwegian Data Protection Authority has opened an investigation case on the matter. We have not yet received any inquiry from the Norwegian Data Protection Authority. We look forward to an independent review and dialogue with supervisory authorities to explain the case in all its complexity. VI will help answer all the questions in the best possible way. We have no comment until the authorities complete their work.
Romania feels left behind
When NRK visited Romania in January, we met with lawyers Mihnia-Dan Radu and Izabela Porcius. Telemedicine In Romania.
– Digital security is the biggest challenge related to telemedicine, says Radu.
According to advocates, Romania generally lags behind the rest of Europe when it comes to the development of the use of telemedicine.
Porcius, who has completed a PhD in digital security, believes that awareness of data security among Romanians is increasing.
The private medical clinics he knows in Romania take digital security seriously, and he believes there are too many clinics left behind as patient data goes the wrong way.
– Porcius states in general terms that, in theory, patients are safe.
NRK meets attorney partner Mihnia-Dan Radu and attorney Isabella Borcius at the offices of Revnik, Christian & Associates.
Photo: Rolf Christian Topdahl / NRK
Lawyer partner Radu believes that the fact that Romanian radiologists spent their time diagnosing Norwegian patients from Romania may have contributed to increased costs for Romanian patients seeking private healthcare.
– Patients from abroad have higher paying capacity than Romanian patients. Specialists will certainly not reject patients from Romania, but they may ask for more money, Radu says.
“Music geek. Coffee lover. Devoted food scholar. Web buff. Passionate internet guru.”
