Region Syddanmark has filed a formal complaint with the Danish Data Protection Authority after mail contractor DAO left sacks of sensitive health information on publicly accessible hospital floors during weekends. The incident forced the region to discard diagnostic test samples and deploy extra staff to secure mail deliveries while Dao’s senior management has been summoned to resolve the breaches.
Denmark’s mail distribution system faces another crisis as Region Syddanmark takes legal action against Dao for serious delivery failures. The postal contractor left bags containing sensitive patient information in unsecured locations at multiple Southern Danish hospitals during mid February.
The region discovered the breaches in week six when hospital staff found mail sacks dumped in public hallways. These areas lacked weekend staffing and remained accessible to anyone entering the facilities. The incident has triggered both operational disruptions and potential violations of data protection law.
Security Failures at Southern Danish Hospitals
The mail handling problems have affected several hospitals across the southern region. Dao failed to follow agreed delivery procedures despite receiving access cards specifically designed to enable secure drop offs in restricted areas.
Breach of Delivery Agreements
Region Syddanmark had provided Dao with security credentials to access controlled areas within hospital facilities. Instead of using these cards, drivers left mail in public entrance halls where anyone could access the contents. Kurt Espersen, the region’s group director, described the situation as unacceptable and a clear violation of contractual obligations.
The bags contained health related correspondence that qualifies as sensitive personal data under Danish law. While no evidence suggests anyone exploited the exposure, the risk alone prompted the formal complaint to Datatilsynet. The region cannot take chances with patient information security.
Impact on Patient Care
The improper storage conditions forced hospitals to discard diagnostic test samples from patients. Medical samples require specific handling and storage protocols to remain viable for laboratory analysis. Leaving them in uncontrolled environments over weekends rendered them useless.
Patients affected by the discarded samples face delays in receiving test results and potential diagnoses. Some may need to provide new samples and restart portions of their diagnostic process. The operational disruption adds pressure to healthcare facilities already managing heavy workloads.
Data Protection Authority Involvement
Region Syddanmark filed the complaint with Datatilsynet due to the sensitivity of the exposed information. The authority oversees enforcement of data protection regulations in Denmark and investigates potential violations. The complaint follows established procedures for reporting security incidents involving personal data.
The timing coincides with Datatilsynet’s 2026 focus areas, which include examination of risk assessments and technical safeguards. Organizations face heightened scrutiny regarding vendor management and third party data handling practices. The authority has not yet issued a preliminary assessment or investigation timeline.
Regional Response and Interim Measures
Region Syddanmark has implemented emergency protocols while awaiting a permanent solution from Dao. The measures aim to protect both patient safety and data security until delivery procedures meet contractual standards.
Staff Deployed for Mail Collection
Hospital personnel now conduct manual mail rounds at locations where Dao previously left unsecured deliveries. The staff check for improperly placed mail during times when Dao drivers might deposit bags in public areas. This temporary arrangement diverts workers from their regular duties.
Espersen acknowledged the additional burden on employees who already have full schedules. The extra work creates operational costs for the region. However, he stated that protecting patient information and healthcare quality leaves no alternative until Dao resolves its delivery problems.
Management Meeting Demanded
The region has summoned Dao’s senior leadership to a meeting focused on solving the delivery failures. Regional officials expect concrete action plans and timeline commitments from the company. The meeting will address both the specific incidents and broader systemic issues affecting mail handling.
Region Syddanmark wants assurance that Dao will consistently follow delivery protocols going forward. The company must demonstrate how it will prevent future breaches and maintain security standards. The region’s willingness to file regulatory complaints signals its determination to enforce contractual obligations.
Broader Context of Data Protection Challenges
The Dao complaint occurs against a backdrop of data security challenges within Region Syddanmark itself. The region’s enforcement action comes despite its own recent history with data protection violations.
Previous Regional Data Breaches
Region Syddanmark received a one million kroner fine in late 2024 for gross violations of data protection law. The penalty represented the largest ever imposed on a Danish public authority for such violations. The case involved unauthorized access to sensitive health records between 2018 and 2020.
Unauthorized individuals could view health records of 3,915 patients through an unsecured PowerPoint presentation on the region’s website. A separate database breach exposed health information on more than 23,000 residents, including children in psychiatric care. People could access the database through simple URL manipulation.
Court Findings and Implications
The Kolding District Court ruled in December 2024 that the region created unnecessary and unacceptable risks to affected citizens. Datatilsynet had initiated the criminal complaint in summer 2021 after discovering the security failures. The court’s decision established clear expectations for public authorities handling sensitive personal information.
The fine and court ruling demonstrate that Region Syddanmark has faced systemic data security challenges. The current Dao complaint fits within an ongoing pattern of scrutiny regarding how the region and its contractors protect patient information. The history may influence how Datatilsynet evaluates the region’s vendor management practices.
Heightened Awareness and Standards
Region Syddanmark’s own legal troubles likely heightened its sensitivity to data protection issues. The region now operates under increased pressure to demonstrate robust security practices. This context helps explain the quick escalation to Datatilsynet rather than handling the Dao incidents through purely contractual channels.
The combination of recent penalties and current vendor failures creates a challenging environment for regional healthcare operations. Region Syddanmark must simultaneously improve its internal practices and hold contractors accountable for security standards. The dual responsibility increases operational complexity and resource demands.
Ongoing Mail Distribution Problems
The hospital incidents represent just one facet of broader difficulties plaguing Denmark’s mail system since Dao took over distribution responsibilities.
Nationwide Delivery Challenges
Dao has struggled with mail delivery across Denmark since assuming postal operations from PostNord at the beginning of 2025. The company faces mounting complaints about delayed, misplaced, and undelivered mail. Hospital delivery failures add security dimensions to what many Danes experience as simple service problems.
The scale of complaints suggests systemic issues rather than isolated incidents. Dao must address both basic operational capacity and specialized requirements for handling sensitive materials. Healthcare facilities require reliability and security standards exceeding those for ordinary mail delivery.
Uncertain Resolution Timeline
Neither Region Syddanmark nor Dao has specified when normal delivery operations will resume. The region continues its interim measures indefinitely while monitoring Dao’s improvement efforts. Hospital staff face ongoing additional duties until the contractor demonstrates consistent compliance.
Dao has not issued public statements about the hospital incidents or its action plans. The company’s silence leaves affected hospitals and patients without clarity about resolution timelines. The lack of communication compounds frustration with the delivery failures themselves.
Sources and References
DR: Region Syddanmark har anmeldt Dao til Datatilsynet
The Danish Dream: Mail Chaos in Denmark: 15,000 Complaints Slam DAO
