The Netherlands – First GDPR fine imposed: EUR 460,000

Today, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000. The fine is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records. The fact that the first GDPR-fine was imposed on a hospital isn’t a complete surprise, as already in December 2018, the Dutch DPA already announced that it would focus its enforcement actions on the public and health sector.

Prior to imposing the fine, the Dutch DPA initiated an investigation after it appeared that a large amount of hospital staff had accessed the medical records of a Dutch celebrity (197 employees!) During its investigation, the Dutch DPA checked whether to hospital’s information security systems met the security requirements of Article 32 GDPR and, more specifically, specific health care sector security standards.

The Dutch DPA concluded that the Haga Hospital had taken insufficient security measures with respect to authentication and the control of logging, which constitutes a breach of Article 32 of the GDPR. With respect to authentication, the hospital did not have in place two-factor authentication, which should have been the case when it comes to patient records. With respect to the control of logging, the Dutch DPA mentions that the hospital did control its logs (by a random check of six patient records per year), but concluded that this wasn’t not sufficient to meet the requirement of ‘systematic, risk-oriented or intelligent control’, in particular considering the scale of data processing by the hospital. The Dutch DPA concluded that that logging control must be systematic and consistent and that “where a random check and / or check is based on complaints is not sufficient”.

Next to the fine of 460,000 EUR, the Dutch DPA imposed a cease and desist order. If the hospital has not improved its security of patient records before 2 October 2019, it must pay another EUR 100,000 every two weeks, with a maximum of EUR 300.000. As such, a strong message was spread by the Dutch DPA today that hospitals (and other health care providers) must take all technical and organizational measures to ensure that patient information is secure.

Ilias Abassi and Richard van Schaik