Commissioned by Helse Sør-Est, Helse West and Helse Nord, Unilabs examines hundreds of thousands of X-ray examinations each year. Nevertheless, the X-ray giant has failed to inform the health authorities and patients that a total of over 170,000 examinations have been scrutinized at a clinic in Romania since 2016. The hidden agreement was terminated after news revealed the practice in February. Now the Norwegian Data Protection Authority confirms that they will open a supervisory case on the matter. – On the basis of what has emerged, we see a need for more information related to the deployment of services to Romania and what assessments have been made of the security of personal data in that connection, says specialist director Susanne Lie in the Norwegian Data Protection Authority. Subject director Susanne Lie at the Norwegian Data Protection Authority. Photo: Bjørn Olav Nordahl / news To carry out a risk assessment Two radiologists with Norwegian authorization work at the Romanian clinic. In addition, news has revealed that at least 16 people without Norwegian authorization have had access to Unilabs’ internal systems. Around 600,000 examinations of Norwegian patients are registered here annually. Several Unilabs patients news has been in contact with are now wondering whether their radiological images, patient history and other sensitive information have been shared with unauthorized healthcare personnel in Romania. According to the law, a risk and vulnerability analysis must be carried out before services are outsourced to subcontractors. As Unilabs never told Helse Sør-Ost, Helse West and Helse Nord about the Romanian clinic, the health institutions were also never able to assess the risk of patient information being shared publicly with at least 18 people in Romania. Privacy expert and lawyer Malgorzata Agnieszka Cyndecka at the University of Bergen (UiB) reacts to what has emerged in the case. – By not carrying out a risk assessment, you do not know whether you are complying with the requirements set by the GDPR, and how you may be breaking the rules, says Cyndecka. Malgorzata Agnieszka Cyndecka is associate professor and GDPR expert at the University of Bergen. Photo: Kim E. Andreassen, University of Bergen She points out that the clinic in Romania is also responsible for complying with the requirements set by the GDPR. Cyndecka believes Unilabs will be responsible for any breaches of the privacy regulations, as they never told the healthcare institutions about the Romanian clinic. – I think it will be interesting to know how long Unilabs has been doing this, and whether they have ever familiarized themselves with the privacy regulations and read GDPR article 28, says the GDPR expert. Breach of the Personal Data Act can lead to high fees. In recent years, the Norwegian Data Protection Authority has on several occasions handed out fines worth several million kroner. Read also: Rage against Unilabs after hidden Romania agreement – Breach of trust Misinterpretation of the privacy requirements and health legislation can have negative consequences for the individual patient’s health care, the Ministry of Health and Welfare stated in a circular in 2019. Information flow within and between health services is among the areas where is the greatest risk of patient safety failing. Head of department Nils Kalstad at NTNU is an expert in information security, and has read news’s articles about Unilabs’ clinic in Romania with interest. – The breach of trust in the individual patient and the breach of compliance in the supply chain appear, from an information security perspective, as the biggest challenge, says Kalstad, who emphasizes that he only knows the matter from the media. NTNU’s Nils Kalstad at the Department of Information Security and Communication Technology Photo: Knut Røsrud Professor Johan Gustav Bellika at UiT thinks the case appears serious, and says that privacy in Health Norway is important. – It is fundamental for the trust between the patient and the healthcare worker that privacy is maintained. How can the patient trust the healthcare system if they neglect their state of health via the IT systems, says Bellika. The Norwegian Health Authority asks Unilabs to explain The Norwegian Health Authority is also interested in how Unilabs has handled privacy and information security in this case. – The Norwegian Health Authority will ask Unilabs for an explanation of the risk and vulnerability assessments they used as a basis when the mentioned solution was chosen. Unilabs must also document current practices and agreements. Based on this, we will decide whether there is a need for further supervisory follow-up, says department director Ingerid Herstad Nygaard to news. X-rays from a number of Unilabs departments in Norway were examined by doctors in Romania. Illustration: Mari Grafsrønningen Health Sør-East has informed both the Norwegian Health Authority and the Norwegian Data Protection Authority about Unilab Norway’s use of radiologists in Romania. news has asked Unilabs Norway’s managing director Baber Qazi whether the radiologists in Romania have had access to all examinations in Unilabs Norway’s internal systems. But Qazi does not want to answer news on this now, as the Norwegian Data Protection Authority has now opened a case on the matter. In an e-mail to news, Qazi replies as follows: – Unilabs has received an inquiry from the Norwegian Health Authority where they are requesting information about the case, and we are also aware that the Norwegian Data Protection Authority has opened a supervisory case on the matter. We have not received any inquiries from the Norwegian Data Protection Authority yet. We are now looking forward to an independent review and dialogue with the supervisory authorities to illuminate the case in all its complexity. We will assist in answering all questions in the best possible way. We have no further comments until the authorities have completed their work. This is what Unilabs writes about privacy In a letter to Helse Sør-Øst on 6 February, Unilabs writes how they safeguard the privacy of patients: “It appears from the Personal Data Protection Act Section 1 that the Personal Data Protection Regulation (GDPR) applies as Norwegian law. All the countries within the EU/EEA area have introduced the Personal Data Protection Regulation and thus ensured that personal data is processed properly. Romania is an EU member and is thus subject to the GDPR’s local scope. Within the EU/EEA, personal data can be used, sent and shared across national borders if there is a basis for processing, provided that the other requirements in the legislation are met. Norwegian special legislation also allows for this. The special legislation mainly refers to the GDPR. § 25 of the Health Personnel Act authorizes that “confidential information is given to cooperating personnel when this is necessary to be able to provide proper health care”. It follows from the preparatory work that “collaborating personnel” can be understood to include assistants.” In a response on 21 February, Helse Sør-Øst writes that Unilab’s interpretation is based on incorrect assumptions: “In its response letter of 6 February 2023, Unilabs has considerations about the Personal Data Protection Regulation and the Personal Data Act. However, these are based on incorrect assumptions. All processing of personal data by Unilabs Norge AS under the contract must be based on the contract. The contract prohibits the use of subcontractors. The agreement Unilabs Norge AS has with the subcontractor does not provide a basis for processing. The use of assistants in accordance with the Act on Health Personnel requires necessity. There is no need for a double assessment of the images as described and carried out by the subcontractor.” Thinks Romania is lagging behind When news went to Romania in January, we met lawyers Mihnea-Dan Radu and Isabela Porcius, who have researched telemedicine in Romania. – Digital security is the biggest challenge related to telemedicine, says Radu. Romania generally lags behind the rest of Europe when it comes to the development of the use of telemedicine, according to the lawyers. Porcius, who is completing a PhD in digital security, believes that there is increasing awareness of data security among Romanians. The private medical clinics she knows of in Romania take digital security seriously, and she believes the cost of patient data going astray is far too great for the clinics to be left behind. – In theory, the patients are safe, says Porcius on a general basis. news meets lawyer partner Mihnea-Dan Radu and lawyer Isabela Porcius in the offices of Revnic, Cristian & Associates. Photo: Rolv Christian Topdahl / news The fact that Romanian radiologists have spent their time diagnosing Norwegian patients from Romania may have contributed to increasing the costs for Romanian patients seeking private health care, says lawyer partner Radu. – Patients from abroad have the capacity to pay more than Romanian patients. The specialists will certainly not reject patients from Romania, but they may ask for more money, says Radu.
ttn-69