Unlawful Access to Medical Records and Health Data
Criminal defence in the unauthorised access, use or transfer of health data and medical records (Art. 197.2 and 197.5 CP), with aggravated penalties because the information is specially protected data.
Last updated:
What Art. 197.2 CP protects
Article 197.2 of the Spanish Criminal Code protects privacy against the unlawful processing of reserved personal data held in files or on computer, electronic or telematic media. It punishes anyone who, without authorisation, seizes, uses or modifies reserved personal or family data of another recorded in any type of archive, as well as anyone who, without authorisation, accesses such data by any means or alters or uses it to the detriment of the data subject or a third party. The penalty is imprisonment of one to four years and a fine of twelve to twenty-four months, the same as the basic offence of disclosure of secrets in Art. 197.1 CP.
The medical record is the paradigmatic example of a file protected by this provision. Accessing a patient's health record without a care relationship, consulting the hospital information system out of curiosity or for personal reasons, or extracting data from an occupational health file without authorisation, are conducts that fall under Art. 197.2 CP. Disclosure of the data is not required: mere unauthorised access or use completes the offence.
The health-data aggravation (Art. 197.5 CP)
The distinctive feature of these cases is that the medical record contains specially protected data. Article 197.5 CP provides that, where the acts described in the preceding paragraphs affect personal data revealing ideology, religion, beliefs, health, racial origin or sexual life, or where the victim is a minor or a person with a disability in need of special protection, the penalties are imposed in their upper half. In the case of health data, this aggravation applies almost automatically, raising the penalty range of Art. 197.2 CP.
If profit-seeking intent also concurs and the acts affect data covered by Art. 197.5 CP, Art. 197.6 CP raises the penalty to imprisonment of four to seven years. The boundary between access out of curiosity and access aimed at obtaining a benefit or harming a third party is therefore decisive for the legal classification.
Penalties and aggravated subtypes
The system of Art. 197 CP is completed by several subtypes relevant to the healthcare and employment context. Art. 197.3 CP punishes with imprisonment of two to five years the dissemination, disclosure or transfer to third parties of the discovered data. Art. 197.4 CP aggravates the penalty when the acts are committed by the person or entity in charge of or responsible for the file —typically, healthcare or administrative staff with legitimate access to the system who use it for purposes alien to their function— or when the data is disseminated.
Where the access is carried out by an authority or public official taking advantage of their office and outside the cases permitted by law, Art. 198 CP applies, imposing the respective penalties in their upper half and, in addition, absolute disqualification for a period of six to twelve years. This provision is particularly relevant for staff of public hospitals, mutual insurers, inspection services or administrations with access to health data.
Alongside criminal liability, improper access to a medical record usually gives rise to sanctioning proceedings before the Spanish Data Protection Agency (AEPD) under the GDPR and the LOPDGDD. Both proceedings may coexist, so the defence strategy must address the whole. In this area it is advisable to coordinate the defence with that of disclosure of secrets offences and, where applicable, with the unlawful access to computer systems of Art. 197 bis CP, whose framing is different.
Elements of the offence and defence lines
The defence always starts from analysing the basis for access: if there was a care relationship, the data subject's consent, legal authorisation or a purpose covered by healthcare regulations, the conduct may fall outside the offence. The subjective element is essential: Art. 197.2 CP requires conscious and unauthorised access, so that accidental access, access covered by internal protocols, or access necessary for patient care does not constitute the offence. The firm of Alonso Sala, based at Velázquez 27, Madrid, undertakes both the defence of healthcare and administrative professionals under investigation and the private prosecution of patients whose records have been breached. For a case assessment you may contact us on 91 078 65 74.
Penalties & Consequences: Unlawful Access to Medical Records and Health Data
| Type / Scenario | Criminal Penalty |
|---|---|
| Basic offence (Art. 197.2 CP) | Unauthorised access, use, modification or transfer of reserved personal data held in files: imprisonment of one to four years and a fine of twelve to twenty-four months. |
| Health-data aggravation (Art. 197.5 CP) | Where it affects health data or other specially protected data, the penalties are imposed in their upper half; with profit-seeking intent over such data, Art. 197.6 CP raises the penalty to imprisonment of four to seven years. |
| Public official (Art. 198 CP) | An authority or official who accesses outside the legal cases taking advantage of their office is liable to the penalties in their upper half and absolute disqualification of six to twelve years. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Unlawful Access to Medical Records and Health Data
Analysis of the basis for access
We examine whether there was a care relationship, the data subject's consent or legal authorisation justifying the consultation of the record, which may exclude the conduct from Art. 197.2 CP from the outset.
Defence of the subjective element
The offence requires conscious and unauthorised access. Proving that the access was accidental, necessary for patient care or covered by internal protocols may render the conduct non-punishable.
Coordination with the administrative route
We coordinate the criminal defence with the sanctioning proceedings before the AEPD, avoiding statements or admissions in one procedure that would harm the position in the other.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.