First GDPR fine in the Netherlands is a reality
Hospital HagaZiekenhuis in The Hague is fined EUR 460.000 for failure to implement adequate technical and organisational measures to secure patient files.
Investigation by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) was launched earlier in 2018 following claims that over 80 hospital staff were unlawfully snooping into the reality star ‘Barbie’s’ confidential patient files. The AP found that the hospital should regularly check who accesses which files in order to flag unauthorized access in a timely manner. Such unauthorised access should immediately be addressed with appropriate measures. The AP also found that an adequate security system requires authentication involving at least two factors (access to a patient file should for instance require a code in combination with an employee pass).
In addition to the fine, the AP has imposed an order subject to a penalty on the hospital to force the hospital to adequately bring their security measures up to standard. In case of non-compliance by 2 October 2019, the hospital will have to pay EUR 100,000 every two weeks (with a maximum of EUR 300,000).
The AP emphasised that patient confidentiality is of utmost importance and that failure to meet this obligation warrants a hefty fine.
Full article available here (in Dutch). Get in touch with us in case of any questions!