The Netherlands: 440,000 EUR fine for hospital re. unauthorised access to medical records

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam  hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel.

After complaints, the Dutch DPA conducted an investigation, and carried out an audit of the hospital’s information system and investigated, among others, security aspects such as authentication and verification of the logging. After the investigation, the Dutch DPA concluded that OLVG systematically failed to adequately safeguard access to medical records and identified two specific violations with regard to authentication and verification of logging.

In the first place, OLVG should have implemented two-factor authentication for access to personal data in electronic medical records, in view of the sensitive nature of the data (including health data and national security numbers), the large scale of the processing and the risks with respect to the privacy of the data subjects. The Dutch DPA, however, found that two-factor authentication was only implemented to log on from outside of OLVG’s network and personnel could gain access within the OLVG network by solely using a user name and password. On top of that, it appeared that “single sign on” was in place, which means that after logging on there is immediate access to the hospital information system and electronic medical records. The Dutch DPA notes that OLVG referred, among others, to NEN 7510, NEN 7512 and NEN 7513 in its Information Security and Privacy Policy. These NEN standards state that the identity of users must be established by means of two-factor authentication.

In addition,  a hospital must keep records of which medical files have been consulted by whom (logging) and check this on a regular basis, such in order to be able to identify unauthorised access and to take measures accordingly. OLVG keeps such an automatic record, however, OLVG did not check and verify the logging often enough. The Dutch DPA found that OLVG performed two random checks and eight incidental checks of the logging of one electronic medical record between 1 January 2018 and 17 April 2019. Hence, OLVG failed to act in accordance with its own policies and the Dutch DPA states that this is insufficient for an adequate level of security with regard to the identification of unauthorised access to patient data and taking measures in response to unauthorised access.

During the investigations, OLVG implemented additional security measures, including two-factor authentication within the hospital’s network and monitoring logging on a structural basis. However, the Dutch DPA concluded that OLVG violated Article 32(1) of the GDPR by failing to comply with the requirement for two-factor authentication and regular monitoring of logging from 25 May 2018 until at least 22 May 2019. As a result, a fine of EUR 440,000 has been imposed. OLVG has announced it will not appeal against the decision.

In 2019, the Dutch DPA imposed a fine on another Dutch hospital for a similar violation (more information can be found here).

You can read the press release here and the full decision here (only available in Dutch).

Demi Rietveld & Richard van Schaik