The Haga Hospital in the Hague has become the first Dutch body to be fined for violation of Europe’s new privacy law, the General Data Protection Regulation (GDPR). NU.nl has reported that a fine of €460,000 is being imposed on the Hospital for failing to provide a sufficient level of internal security to protect patient records. For keen observers of developments in privacy law, the fact that a hospital has become the first institution in Holland to be fined for non-compliance with GDPR is not altogether surprising. In December 2018, the Dutch Data Protection Authority (DPA) announced that it intended to focus its enforcement efforts in the health sector.
Haga Hospital’s reputation had been damaged several months ago when it emerged that 85 employees had been able to access the patient file of reality star Barbie, real name Samantha de Jong. The DPA promptly investigated and found that the Hospital’s security of medical records was not in order, constituting a breach of Article 32 of the GDPR.
In particular, it was ruled that the Hospital’s security measures were insufficient respecting both authentication and the control of logging. Regarding authentication, Haga did not provide for two-factor authentication, which should be the case for medical records. When it came to the control of logging, the DPA noted that although the hospital did control its logs, the method employed was insufficient for GDPR compliance. Haga hospital effected log controls by means of the random checks of at least six patient records per annum. The DPA felt that, considering the scale of the data processing, this was not sufficient to satisfy the regulation’s requirement of ‘systematic, risk-oriented or intelligent control‘. For the Dutch DPA, logging control should be consistent and systematic; that random checks, or those carried out following the receipt of a complaint, are insufficient.
In addition to the fine, the Hagua Hospital was given until the 2nd of October to rectify its internal security problems. Failing that, the hospital could face additional fines of €100,000 every fortnight until its security system is GDPR compliant. Although the additional fine has a maximum limit of €300,000 , other public bodies throughout the Netherlands and beyond will no doubt be taking notice of the significant penalties such lapses attract.