The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel.
After complaints, the Dutch DPA conducted an investigation, and carried out an audit of the hospital’s information system and investigated, among others, security aspects such as authentication and verification of the logging. After the investigation, the Dutch DPA concluded that OLVG systematically failed to adequately safeguard access to medical records and identified two specific violations with regard to authentication and verification of logging.
In addition, a hospital must keep records of which medical files have been consulted by whom (logging) and check this on a regular basis, such in order to be able to identify unauthorised access and to take measures accordingly. OLVG keeps such an automatic record, however, OLVG did not check and verify the logging often enough. The Dutch DPA found that OLVG performed two random checks and eight incidental checks of the logging of one electronic medical record between 1 January 2018 and 17 April 2019. Hence, OLVG failed to act in accordance with its own policies and the Dutch DPA states that this is insufficient for an adequate level of security with regard to the identification of unauthorised access to patient data and taking measures in response to unauthorised access.
During the investigations, OLVG implemented additional security measures, including two-factor authentication within the hospital’s network and monitoring logging on a structural basis. However, the Dutch DPA concluded that OLVG violated Article 32(1) of the GDPR by failing to comply with the requirement for two-factor authentication and regular monitoring of logging from 25 May 2018 until at least 22 May 2019. As a result, a fine of EUR 440,000 has been imposed. OLVG has announced it will not appeal against the decision.
In 2019, the Dutch DPA imposed a fine on another Dutch hospital for a similar violation (more information can be found here).
Demi Rietveld & Richard van Schaik