Dutch DPA Issues GDPR Fine Against Haga Hospital

The Dutch Data Protection Authority has issued its first GDPR fine against the Haga Hospital in the Hague for €460,000.

 Authoriteit Persoonsgegevens, the organization responsible for enforcing GDPR in the Netherlands, cited a violation of Article 32 of the regulations which led to a data breach in 2018 as the reason for fining the hospital. 

This breach only involved the medical records of a single individual who is a reality TV star in the Netherlands, named by Dutch News as Samantha de Jong, also known as ‘Barbie’. Several hospital employees viewed the records without the correct authorization to do so. Those records were viewed, without authorization, by several employees at the hospital. It is thought that nearly 200 employees were caught snooping on the records, which constitutes a severe breach of GDPR.

An investigation was launched into the incident which revealed the hospital had poor internal security controls for patient records. Several standard security features, such as two-factor authentication, had not been implemented. The hospital also failed to review log files to identify unauthorized data access regularly.

The lack of appropriate security measures to protect personal data was in violation of GDPR requirements, and the Dutch DPA decided to issue a fine for the hospital’s failings.

In addition to paying the penalty, Haha Hospital must implement measures to improve its cybersecurity framework. Its progress will be tracked as it does so, and the DPA has warned it may issue further fines if security is not brought up to the standards demanded by GDPR.

The hospital has been given until October 2, 2019, to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.

The Centro Hospitalar Barreiro Montijo in Portugal was faced with a similar fine by the Portuguese DPA. The hospital had also failed to secure records and prevent unauthorized access from within the hospital, and as a result, too many employees in the hospital could easily access patient records. The Portuguese hospital was fined €400,000 for its security failures.

The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours, and the breach will be investigated.