Dutch Data Protection Regulator AP Issues First Major GDPR Fine to Hospital

GDPR recently made the news in the Netherlands when the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (AP) issued a €460000 fine to a hospital in The Hague. The Haga Hospital did not adequately protect the medical records of a TV celebrity, who entered the hospital in 2018 after a suicide attempt. No less than 197 staff at the hospital were found to have “snooped” at the well-known patient’s records.

The fact that a sizeable GDPR fine has been levied at a Dutch hospital comes as no surprise, as the AP had previously announced its focus on public and health sectors. On top of the initial fine, the Haga Hospital will be liable for a further €100000 every fortnight after October 2nd 2019 if it hasn’t improved the data security of patients by that date (up to €300000).

Why Target the Health Sector?

You can always argue that hefty fines against hospitals are immoral. Maybe that amount of money would be better spent elsewhere, but part of patient care should always be a respect for privacy. In fact, this is the first GDPR fine which the Dutch Data Protection Authority has issued, so it hasn’t been undertaken lightly.

The Haga Hospital breached Article 32 of the GDPR. This demands a level of security which corresponds to the level of risk posed by the data in question. Health-related data is considered high risk because it has a more significant potential to harm individuals if leaked. For instance, it might affect the subject’s job prospects or their reputation. Like all data, it needs managing and mapping, so that the hospital or organisation knows where it is and who has access to it.

The risks associated with processing medical data, and all aspects of its handling, (e.g. who has access, IT security, the security of premises, anonymisation), must be assessed to avoid the type of GDPR breach which occurred at the Dutch hospital. Small to medium-sized companies or bodies can use GDPR compliance software to assist them in these steps.

Two-Factor Authentication and Control of Logging

The Dutch Data Protection Authority found that the Haga Hospital did not use two-factor authentication and failed in control of logging. This is a breach of GDPR Article 32, but what does it mean?

• Two-factor authentication is as it sounds. The user must be able to identify himself using two different pieces of evidence. It’s a double-check on who is accessing the data, based on something they know or have, or who they are. This type of multi-factor authentication is often used in banking, where you must know answers to security questions and your password, for instance. At an ATM you need your bank card as well as your PIN.
• Control of logging refers to being in command of who consults files and the ability to check this at all times, thus quickly identifying unauthorised access. In the case of the Dutch hospital, only six security checks on random patients were carried out each year. This does not correspond to the sheer volume of data a hospital processes. To meet GDPR standards, systematic, risk-oriented control is necessary.

Similar Case in Portugal

There have been several high-profile GDPR infractions recently. Hospital data breaches tend to shock because of the sensitivity of the data. In Portugal, the Centro Hospitalar Barreiro Montijo was fined €400000 last year under similar circumstances. Too many people had easy access to patient records. This poses a particular risk to high-profile patients but is disconcerting to all. The GDPR threat at both hospitals came from a lack of security within.

Lessons to Learn

In a healthcare setting, patients have an absolute right to expect confidentiality, regardless of who they are. And that can only happen if data is accessible on a need-to-know basis; a key factor in keeping it secure. Raising staff awareness is paramount in protecting data.

Similar principles apply to all companies. GDPR offers a chance to show customers that you respect their data and process it responsibly. Using the right software can help; why not begin the compliance process today?