Sending Medical Reports via Email or WhatsApp: Risks and Secure Solutions

Healthcare Privacy

Explore the risks of sending medical reports via email or WhatsApp and discover the safest GDPR-compliant methods for doctor-patient communication.

Illustration representing the risks of sending medical reports via email or WhatsApp and GDPR-compliant secure methods
Table of Contents

The risks of WhatsApp and email channels

Today, it is increasingly common to see doctors and healthcare facilities communicating with patients via WhatsApp or email, conveniently sending reports in a simple message. However, health data is among the most sensitive information, and its protection is strictly governed by the General Data Protection Regulation (GDPR). A casual use of these channels exposes organizations to enormous risks, including potential violations of GDPR regulations, and — no less importantly — a loss of trust from patients.

GDPR and health data: why confidentiality is essential

Health data falls under the "special categories of personal data" identified by the GDPR, and therefore deserves enhanced protection under the principle of integrity and confidentiality, which requires that personal data be safeguarded to ensure adequate protection against unauthorized or unlawful access.

According to an analysis by the European Agency ENISA, the healthcare sector is indeed one of the hardest hit by data breaches, with 215 public breaches reported between 2021 and 2023. 46% of cybersecurity incidents involved data breaches, i.e. threats to data integrity, while 30% of cyberattacks specifically targeted patient data — data that holds high value for criminals.

WhatsApp and email in doctor-patient communication

The main reason for WhatsApp's success in healthcare communication is its immediacy, ease of use, and widespread adoption on smartphones.

According to a survey conducted in 2022 by the Florence Medical Association in partnership with the DataLifeLab (University of Florence), doctors use WhatsApp in 84.3% of cases. Other widely used channels include SMS (50.9%), email (6.6%), and alternative messaging apps such as Telegram or Facebook (14.5%).

Illustration of a key representing security and privacy: a symbol of the risks associated with using WhatsApp for medical reports

Specifically, WhatsApp is used for many different purposes:

  • For 56.1% of professionals, to exchange clinical information about patients

  • For 53.9% of professionals, to communicate with patients about clinical results;

  • In 42% of cases, to evaluate tests and provide therapeutic advice remotely;

  • For 40% of professionals, to manage appointments;

  • For 20.7% of professionals, to send prescriptions.

Despite end-to-end encrypted conversations or password protection, the use of email or WhatsApp poses significant risks in terms of health data privacy — especially when dealing with an app owned by a non-European Big Tech company that may not comply with the European GDPR.

Real-world cases of damages and consequences

Numerous cases across Europe concretely show what can happen when health data is not adequately protected during communications. In this regard, two cases are particularly telling:

The British hospital NHS Lanarkshire suffered a data breach between April 2020 and April 2022, as 26 employees had access to a WhatsApp group — approved and limited to Covid-19 pandemic-related use — for exchanging service communications. This group was subsequently also used for sharing patients' personal data. In this case, the ICO (UK Data Protection Authority) intervened by issuing a severe reprimand to the healthcare organization, setting a precedent across Europe and prompting all organizations to review their policies on the use of messaging apps to prevent similar incidents.

The AUSL Emilia-Romagna (Italy) was fined €50,000 by the Italian Data Protection Authority in 2021 for a patient data breach, in which a patient's confidential clinical information was disclosed to family members despite the patient's explicit refusal to consent to sharing.

These are just a few examples of data leaks, where the consequences can range from financial penalties — which can reach tens of thousands of euros — to reputational damage, with the resulting loss of image and patient trust.

Doctor using a smartphone to communicate with patients: representation of WhatsApp use in doctor-patient communication

What the authorities say: guidelines and warnings

In recent years, partly due to the health emergency caused by the Covid-19 pandemic, European Data Protection Authorities have begun to authorize the use of secure digital channels for the dematerialization of prescriptions, such as the Electronic Health Record, certified email (PEC), SMS, or email.

This is the case in Italy, where the Data Protection Authority published a recent provision, No. 620 of October 17, 2024 (available here), providing precise guidelines on sending digital medical reports via email. These include:

  • Sending the report as an attachment rather than in the body of the email;

  • Protecting the file with a password or encryption, communicated separately;

  • Verifying the recipient's email address in advance to avoid errors.

At the European level, ENISA and the European Commission are promoting greater security in the processing of health data through initiatives such as the European Health Data Space (EHDS) and the NIS2 Directive (2022/2555), which imposes stricter cybersecurity requirements on healthcare facilities and hospitals.

From queuing at the counter to digital delivery: secure ways to receive medical documents

Until a few years ago, the only way to obtain your medical reports was to physically go to the clinic, facing queues, limited hours, and inconveniences. This method, while secure, requires time and effort.

An intermediate solution is sending documents via protected email or through dedicated portals, such as the Electronic Health Record with personal login credentials and SPID (Italy's digital identity system). These tools offer a reasonable level of security but are often complex to use — both for patients and healthcare facilities.

Today, thanks to digital innovation, it is possible to choose even more secure and efficient methods. Platforms like RefertoSicuro enable the transmission of medical documents through encrypted channels, ensuring that only the intended recipient can access them. Among the protective measures adopted are: password authentication, OTP codes, automatic link expiration, and access monitoring.

Adopting RefertoSicuro is extremely simple: it requires no operational changes from doctors or healthcare facilities, and easily integrates as an alternative digital channel. The result is a fast, intuitive, and GDPR-compliant process that protects documents from the moment they are created until the patient views them.

Person typing medical reports on a laptop: representation of secure methods for digital delivery of medical documents

Conclusion: Privacy and innovation can coexist

The digitalization of healthcare offers great opportunities but requires responsibility. Channels like WhatsApp or email simplify communication but pose risks if used without proper care. Compliance with the GDPR is not optional: it is essential to protect both patients and healthcare organizations.

Investing in secure solutions and training staff is the decisive step toward ensuring competitive, effective, and privacy-respecting care — because protecting data means protecting the relationship of trust with patients.

Related Articles

Back to Blog