Healthcare Compliance Training and Certification

Cyberlaw by Eoin Campbell | GDPR Advice

Dutch Data Protection Authority issues first GDPR-fine

by | Sep 16, 2019

The Haga Hospital in the Hague has become the first Dutch body to be fined for violation of Europe’s new privacy law, the General Data Protection Regulation (GDPR). NU.nl has reported that a fine of €460,000 is being imposed on the Hospital for failing to provide a sufficient level of internal security to protect patient records. For keen observers of developments in privacy law, the fact that a hospital has become the first institution in Holland to be fined for non-compliance with GDPR is not altogether surprising. In December 2018, the Dutch Data Protection Authority (DPA) announced that it intended to focus its enforcement efforts in the health sector.

Haga Hospital’s reputation had been damaged several months ago when it emerged that 85 employees had been able to access the patient file of reality star Barbie, real name Samantha de Jong. The DPA promptly investigated and found that the Hospital’s security of medical records was not in order, constituting a breach of Article 32 of the GDPR.

In particular, it was ruled that the Hospital’s security measures were insufficient respecting both authentication and the control of logging. Regarding authentication, Haga did not provide for two-factor authentication, which should be the case for medical records. When it came to the control of logging, the DPA noted that although the hospital did control its logs, the method employed was insufficient for GDPR compliance. Haga hospital effected log controls by means of the random checks of at least six patient records per annum. The DPA felt that, considering the scale of the data processing, this was not sufficient to satisfy the regulation’s requirement of ‘systematic, risk-oriented or intelligent control‘. For the Dutch DPA, logging control should be consistent and systematic; that random checks, or those carried out following the receipt of a complaint, are insufficient.

In addition to the fine, the Hagua Hospital was given until the 2nd of October to rectify its internal security problems. Failing that, the hospital could face additional fines of €100,000 every fortnight until its security system is GDPR compliant. Although the additional fine has a maximum limit of €300,000 , other public bodies throughout the Netherlands and beyond will no doubt be taking notice of the significant penalties such lapses attract.

Related GDRP Articles

GDPR Compliance Checklist

GDPR FAQs

GDPR for US Companies

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy