A German Court was considering whether to award damages against a health insurance company following a data breach. The insurance company has sent the health records of one of its members to an incorrect email address. Not only was the email address entered incorrectly and subsequently sent to the wrong person but it also wasn’t encrypted.
Article 82 of the GDPR provides for damages for any person who has suffered immaterial damages as a violation. It was concluded that regardless of the relationships between the data subject and the controller Article 82 still applies. The misdirected email involved unauthorised dissemination of personal data. Although the member consented to the transmission of their health record via email they were not informed that it would not be encrypted or psedonymized.
The fine was awarded as it was decided that the Plaintiff has suffered non-material damage in the form of mental stress. As a result the health insurance company are ordered to pay €2,000. This took into account the affect of the data breach on the Plaintiff, the disclosure of personal health and that the Plaintiff lost control of her data for 10 months. It took 10 months to confirm that the recipient had deleted the email.