Netherlands Hospital Hit with €460,000 GDPR Data Breach Fine
The GDPR data protection authority in the Netherlands – Authoriteit Persoonsgegevens – has issued its first GDPR data breach fine. Haga Hospital in the Hague has been fined $460,000 ($516,000) for security failures that contributed to a privacy breach in 2018.
The EU’s General Data Protection Regulation requires all entities that collect or process the personal data of EU citizens to implement appropriate security measures to ensure that information remains private and confidential. In the event of a data breach, the appropriate data protection authority must be notified within 72 hours and the breach will be investigated.
In this case, the breach involved a single patient’s records – a well-known Dutch person. Those records were viewed, without authorization, by several employees at the hospital. The Dutch News website named the patient as Samantha de Jong, also known as ‘Barbie’.
The GDPR investigation revealed the hospital had poor internal security controls for patient records, had failed to implement two-factor authentication, and was not regularly reviewing log files to identify unauthorized data access. The lack of appropriate security measures to protect personal data was in violation of GDPR requirements and a fine was deemed necessary. The hospital will now be monitored to make sure that security is improved. Further fines will be issued if security is not brought up to the standards demanded by GDPR.
The hospital has been given until October 2, 2019 to make the necessary improvements or a further fine will be issued at a rate of €100,000 every two weeks up to a maximum of €300,000. Haga Hospital has agreed to implement additional security measures to improve its security posture.
Last year, a similar fine was issued to Centro Hospitalar Barreiro Montijo in Portugal by the Portuguese data protection authority. The hospital had also failed to secure records and prevent unauthorized access from within the hospital. The Portuguese hospital was fined €400,000 for its security failures.