By The Clinical Center of Montenegro (KCCG) is responsible for the leak of protected data from the medical file of Pobjeda journalist Ana Raičković, which ended up in the hands of Danilo Mićović, the defense attorney for those accused of violent behavior against Raičković and her family members.
This is stated in the response issued by the Institution of the Protector of Human Rights and Freedoms (Ombudsman) following a complaint by the Trade Union of Media of Montenegro.
Attorney Mićović, in a case concerning the criminal offense of violent behavior involving Zoran and Luka Bećirović, Mladen Mijatović, and Ljubiša Dukić, attempted to submit the journalist’s medical records as evidence during a hearing held on March 28. Judge Ilija Radulović rejected Mićović’s request.
Following this, the KCCG, at the request of the Media Union, determined that Ana Raičković’s rights had been violated, and the Basic State Prosecutor’s Office in Podgorica launched an investigation ex officio to determine who had provided Mićović with the protected data.
Documentation Sent from Computer of Doctor on Medical Leave
The Ombudsman, acting on the request from the Media Union of Montenegro, launched an inquiry into KCCG’s actions on March 28. The Clinical Center subsequently informed the Ombudsman that they had initiated a procedure to determine the circumstances under which the medical report had been distributed to the public.
“Upon gathering information, it was found that the report in question was printed through the Heliant information system from the account of Dr. Marina Đaletić, who conducted the medical examination, on May 29, 2024, and also from the account of Dr. Veselinka Đurišić on March 26, 2025,” the Ombudsman stated.
He noted that KCCG requested an explanation from the director of the Institute for Children’s Diseases, where Dr. Đurišić is employed, as to why the report was printed from her computer.
“He responded that Dr. Đurišić was on medical leave at the time the report was printed, and remains on leave. She also informed the director that she had not authorized anyone to use her credentials during her absence,” it was stated.
KCCG also informed the Ombudsman that their information system does not allow for verification of the IP address from which a report was printed, meaning it is not possible to determine who printed it.
KCCG forwarded all collected information to the Police Directorate for further action.
Violation of Article 8 of the European Convention
The Ombudsman emphasized that personal data related to patients belongs to their private life, and the handling or disclosure of such data necessarily falls within the scope of Article 8 of the European Convention on Human Rights.
The Ombudsman believes that the disclosure of a specialist doctor’s report, which contains highly sensitive and personal data, constitutes an interference with the patient’s right to respect for private life.
The Ombudsman further noted that KCCG did not deny that such a data leak occurred. He also emphasized that the health institution must ensure that special categories of data, such as those concerning health status, are appropriately protected against unauthorized access, publication, and misuse.
“In the Ombudsman’s assessment, practical and effective protection to eliminate any possibility of unauthorized access was not provided. The Ombudsman must conclude that, at the relevant time, KCCG failed in its positive obligation under Article 8(1) of the Convention to ensure respect for the complainant’s private life. Therefore, a violation of Article 8 occurred.”
KCCG Failed Legal Obligation to Maintain Data Confidentiality
The Ombudsman concluded that the disclosure of the data represented a violation of privacy rights simply because there were no effective and efficient mechanisms in place to prevent such a situation.
“As such, KCCG failed to fulfill its legal obligation to maintain data confidentiality and protect the complainant’s privacy, which resulted in the disclosure of information to third parties,” the Ombudsman added.
In the Ombudsman’s opinion, it is undisputed that the data from Raičković’s private life originated from KCCG’s database, as the controller of the personal data collection.
“Although this body was unable to identify the person who printed the report after conducting the investigation, it is difficult to draw any conclusion other than that KCCG, generally speaking, allowed such a leak to occur, thus assuming responsibility,” the Ombudsman stated, also referring to the European Court of Human Rights ruling in the case M.D. v. Spain, dated June 28, 2022.
KCCG Urged to Tighten Access to Citizens’ Personal Data Collections
In its recommendations to KCCG, the Ombudsman stated that the health institution should determine all circumstances related to the unauthorized access and publication of the medical report, and, if grounds exist, initiate proceedings to establish disciplinary responsibility.
KCCG is advised to implement strict access controls for collections of personal data, and to improve technical data protection measures – including the use of multi-factor authentication, data encryption, and regular updates of security protocols.
The Ombudsman also recommended that KCCG organize employee training on data protection rules and recognizing potential threats, to reduce the likelihood of similar incidents in the future.
The Clinical Center of Montenegro (KCCG) is responsible for the leak of protected data from the medical file of Pobjeda journalist Ana Raičković, which ended up in the hands of Danilo Mićović, the defense attorney for those accused of violent behavior against Raičković and her family members.
This is stated in the response issued by the Institution of the Protector of Human Rights and Freedoms (Ombudsman) following a complaint by the Trade Union of Media of Montenegro.
Attorney Mićović, in a case concerning the criminal offense of violent behavior involving Zoran and Luka Bećirović, Mladen Mijatović, and Ljubiša Dukić, attempted to submit the journalist’s medical records as evidence during a hearing held on March 28. Judge Ilija Radulović rejected Mićović’s request.
Following this, the KCCG, at the request of the Media Union, determined that Ana Raičković’s rights had been violated, and the Basic State Prosecutor’s Office in Podgorica launched an investigation ex officio to determine who had provided Mićović with the protected data.
Documentation Sent from Computer of Doctor on Medical Leave
The Ombudsman, acting on the request from the Media Union of Montenegro, launched an inquiry into KCCG’s actions on March 28. The Clinical Center subsequently informed the Ombudsman that they had initiated a procedure to determine the circumstances under which the medical report had been distributed to the public.
“Upon gathering information, it was found that the report in question was printed through the Heliant information system from the account of Dr. Marina Đaletić, who conducted the medical examination, on May 29, 2024, and also from the account of Dr. Veselinka Đurišić on March 26, 2025,” the Ombudsman stated.
He noted that KCCG requested an explanation from the director of the Institute for Children’s Diseases, where Dr. Đurišić is employed, as to why the report was printed from her computer.
“He responded that Dr. Đurišić was on medical leave at the time the report was printed, and remains on leave. She also informed the director that she had not authorized anyone to use her credentials during her absence,” it was stated.
KCCG also informed the Ombudsman that their information system does not allow for verification of the IP address from which a report was printed, meaning it is not possible to determine who printed it.
KCCG forwarded all collected information to the Police Directorate for further action.
Violation of Article 8 of the European Convention
The Ombudsman emphasized that personal data related to patients belongs to their private life, and the handling or disclosure of such data necessarily falls within the scope of Article 8 of the European Convention on Human Rights.
The Ombudsman believes that the disclosure of a specialist doctor’s report, which contains highly sensitive and personal data, constitutes an interference with the patient’s right to respect for private life.
The Ombudsman further noted that KCCG did not deny that such a data leak occurred. He also emphasized that the health institution must ensure that special categories of data, such as those concerning health status, are appropriately protected against unauthorized access, publication, and misuse.
“In the Ombudsman’s assessment, practical and effective protection to eliminate any possibility of unauthorized access was not provided. The Ombudsman must conclude that, at the relevant time, KCCG failed in its positive obligation under Article 8(1) of the Convention to ensure respect for the complainant’s private life. Therefore, a violation of Article 8 occurred.”
KCCG Failed Legal Obligation to Maintain Data Confidentiality
The Ombudsman concluded that the disclosure of the data represented a violation of privacy rights simply because there were no effective and efficient mechanisms in place to prevent such a situation.
“As such, KCCG failed to fulfill its legal obligation to maintain data confidentiality and protect the complainant’s privacy, which resulted in the disclosure of information to third parties,” the Ombudsman added.
In the Ombudsman’s opinion, it is undisputed that the data from Raičković’s private life originated from KCCG’s database, as the controller of the personal data collection.
“Although this body was unable to identify the person who printed the report after conducting the investigation, it is difficult to draw any conclusion other than that KCCG, generally speaking, allowed such a leak to occur, thus assuming responsibility,” the Ombudsman stated, also referring to the European Court of Human Rights ruling in the case M.D. v. Spain, dated June 28, 2022.
KCCG Urged to Tighten Access to Citizens’ Personal Data Collections
In its recommendations to KCCG, the Ombudsman stated that the health institution should determine all circumstances related to the unauthorized access and publication of the medical report, and, if grounds exist, initiate proceedings to establish disciplinary responsibility.
KCCG is advised to implement strict access controls for collections of personal data, and to improve technical data protection measures – including the use of multi-factor authentication, data encryption, and regular updates of security protocols.
The Ombudsman also recommended that KCCG organize employee training on data protection rules and recognizing potential threats, to reduce the likelihood of similar incidents in the future.
