The Clinical Center of Montenegro is ordered to amend its internal rules for the processing and protection of personal data and specify who, when, in what manner, for what purposes and under what conditions may access and process data contained in the medical information system "Heliant", as well as to determine which employees have access to which personal data.
That order from the Personal Data Protection Agency (AZLP) arrived at the largest healthcare institution in April last year, but a year later, instead of a higher level of protection for diagnoses and therapies, the opposite happened - someone printed out the medical data of a journalist from Pobjeda from a doctor's order on sick leave. Ana Raickovic and submitted to the defense Zoran Ćoć BećirovićHis lawyer Danilo Micovic He announced them in front of a full courtroom, despite the fact that a person from the Clinical Center allegedly obtained this legally protected data by misusing the password of an absent colleague.
"It is symptomatic, according to what we could hear in the media, that the doctor from whose computer the data was accessed, had been on sick leave for a long time. I do not want to underestimate the people in the IT sector at the specific controller of the personal data collection - the Clinical Center, but I would recommend, as you should already know, that the password or code of the computer should be changed more often. So, if the password had been changed more often, it would obviously have expired while the doctor was not at work, so the excuse that someone could have seen and found out the password of her computer is not valid," the personal data protection expert told "Vijesti". Radenko Lacmanović.
During a hearing at the end of March, in the proceedings before the Basic Court for the attack on Raičković, Mićović - the lawyer for the then-accused Bećirović - presented a document on the journalist's health condition to the judge and numerous media outlets, without specifying how he obtained this information.
More details were known two days ago - one of the employees at KCCG allegedly printed out and misused the most sensitive data of Raičković, based on the order of a colleague on sick leave.
CLINICALLY NO WORDS ABOUT RESPONSIBILITY AND MEASURES
The Protector of Human Rights and Freedoms recently determined that data about Raičković was "leaked" from the Clinical Center, which violated the journalist's rights.
The Clinical Center does not answer questions about responsibility. Likewise, they do not specifically answer the question of whether and who in that institution can guarantee citizens that their data will not be misused.
"Regarding data protection and possible misuse, especially in the category of confidential and sensitive documents such as medical reports, we are making efforts to continuously instruct employees regarding the security of access to information and its disposal, i.e. instructions for handling the code for accessing the information system and thus the responsibility for providing the code to associates or other persons," says the institution headed by Aleksandar Radovic.
Medical data is protected by the Personal Data Protection Act, while the Law on Patients' Rights guarantees the confidentiality of information communicated by the patient to a healthcare professional, including those relating to their health condition and potential diagnostic and therapeutic procedures, as well as data from medical documentation, which constitute a professional secret and are kept in accordance with a special law.
"The Clinical Center, in performing the activity of providing healthcare, treats all aspects of its business responsibly, striving to achieve competence in a rational, responsible and transparent manner. We are convinced that we confirm the context of responsibility and transparency by quickly implementing internal procedures and actions in accordance with legal acts and regulations, by fully communicating and establishing cooperation with the authorities responsible for implementing procedures for determining responsibility, and especially by transparent and fast communication with the media. As we have previously emphasized in the specific case that is the subject of your interest, the Clinical Center of Montenegro has submitted all available documentation to the competent authorities for implementing procedures for determining responsibility," the institution said.
The Ministry of Health, which is headed by the Minister of Health, has not responded to the responsibility of the KCCG, but also to the protection of citizens' private lives. Vojislav Šimun.
Lacmanović, however, warns that an additional measure could and should have been provided in the KCCG IT protection system - in addition to the password on the computer of everyone authorized to access patient data, there should have been an additional access code.
"In that case, there would be a double protection system and there would be no possibility of accessing the system so easily, of obtaining that data so easily. The excuse that it is not possible to check from which IP address the report was printed cannot be valid and should first concern those at the head of the Clinical Center, who would have to hold those responsible for the patient data protection system accountable," he emphasizes.
Asked whether the Raičković case shows that anyone's health record can be compromised at any time, Lacmanović responds that the KCCG is not the only institution where this can happen.
"I am absolutely certain that this happens to more or less all state institutions, in different ways, to a greater or lesser extent. If we were to dig a little deeper, we could conclude the same for many institutions. During the time I was at the AZLP, the most frequent violators of the provisions of the law on the protection of personal data were those who had the largest amount of data about us. Those who, by the nature of their work, should have kept it the most carefully and responsibly. These are individual departments in the Government, primarily the Ministry of Internal Affairs. What the situation is today - I don't know, but I'm not sure that it has improved," Lacmanović points out.
DOES ONE PROCEDURE EXCLUDE THE OTHER?
AZLP responded to "Vijesti" yesterday that they initiated, then suspended, the supervision procedure of the KCCG in the Raičković case.
"In this specific case, we are talking about allegations that could potentially have elements of criminal liability. In this regard, in accordance with the law, the Agency contacted the Podgorica Basic State Prosecutor's Office in order to receive an official response to the allegations in the media and officially check whether a case had been opened in this case. The Agency received an affirmative response from the Podgorica Basic State Prosecutor's Office. Considering that a case had been opened before the competent prosecutor's office, on 17 April 4, a decision was issued terminating the supervision procedure due to the previous issue, in order not to jeopardize the course of another investigation, in accordance with the principle of legal certainty and non-overlapping jurisdiction," explained the AZLP.
They specify, however, that since the beginning of its work, the Agency has conducted supervision at KCCG seven times, on several grounds.
"During 2024, at the initiative of a natural person, supervision and additional supervision were carried out and a decision was issued prohibiting unauthorized access and removal of personal data contained in the medical information system 'Heliant' of the KCCG, without an adequate legal basis and for purposes contrary to the law. The decision ordered the KCCG to provide measures to protect the medical information system, which would be appropriate to the nature and sensitivity of the data being processed, taking into account the highest level of modern technology and the costs of their implementation. The Agency was informed by the KC that it would act in accordance with the decision in question, and that due to the complexity of the system, they needed a longer period of time to implement the ordered actions," claim the AZLP.
Commenting on the fact that the AZLP suspended the control procedure because the case is in the hands of prosecutors, Lacmanović emphasizes that the exact opposite should have happened.
"The Agency, as the competent supervisory authority, should have acted and established the factual situation that would also help the competent judicial authorities. So, now we have a concrete procedure before the prosecutor's office in which everything will be clear, but I believe that it would have been much easier to get to the real facts if the Agency had carried out the supervision procedure," he pointed out.
He points out that "perhaps it's better that it went this way."
"Because when the Agency, which is competent and responsible, is silent, then it is best for them to not speak anymore. Let's remember the numerous situations in which they have spoken out. Those positions were to the detriment, not to the benefit of citizens. I believe that the judiciary will not go in that direction," Lacmanović said.
He also said that it was encouraging that the court did not accept this type of evidence and attempts to compromise the journalist.
"As worrying as the imprecision, ignorance or unwillingness of the AZLP to do its job is, it is encouraging that there are institutions like the Human Rights Protection Agency, which not only do their job, but sometimes take over the jurisdiction of institutions that were supposed to control it before them. Based on all of this, the conclusion is that this is not the competent supervisory body for the protection of personal data. As one of our greatest songwriters would say, we are to blame for letting them go. This time, those who still hold positions in the AZLP, who are not ready to change themselves, let alone the institutions, should recognize their responsibility," Lacmanović concluded.
There are no sanctions, no accountability for abuses.
According to him, the Personal Data Protection Act also provides for sanctions.
"My proposals for filing misdemeanor charges have rarely been passed even at the level of the AZLP Council, let alone the courts. Therefore, it should not be surprising to see the kind of irresponsibility of those who used that data, even though they knew it was obtained illegally. And they were especially aware that no one had suffered any consequences for it so far," said Lacmanović.
Bonus video:
