The AP imposes its first GDPR fine on a Dutch hospital

Written on 17 Jul 2019

Following a lengthy investigation, the Dutch Data Protection Authority (AP) concluded that a Dutch hospital did not take adequate technical and organisational measures (as referred to in Article 32 of the GDPR) and imposed an administrative fine of EUR 460,000. In addition to the fine, the AP imposed an order subject to a penalty, which could result in a maximum additional penalty of EUR 300,000 in the event the hospital does not timely take adequate measures.

What happened?

The AP’s investigation into the hospital’s security measures was prompted by a data breach notification from the hospital in April 2018 regarding the medical records of a Dutch reality-star having been accessed by 85 employees who were not authorized nor involved in the treatment of the reality-star. In its investigation the AP focused specifically on the measures implemented by the hospital regarding authentication, authorisation and (control of) logging of employee access to medical files.

The AP emphasised that, given the sensitivity and potential, risks for data subjects, a high level of security requirements must be observed for the protection of medical data. In this respect the AP concludes that two-factor authentication is required (which was not mandatory for employees within the hospital). Further, the AP concludes that the requirement of an appropriate level of security requires that logs regarding access to medical files are regularly and systematically reviewed. According to the AP, the hospital did not meet these criteria, as the hospital only examined specific logs in 2018 based on requests from patients or employees (except for one proactive check on the medical file of the reality-star following the notification).

Administrative fine

The fine (EUR 460,000) is calculated in accordance with the AP’s recently published fining policy (see also our recent post).

In its fining policy the ‘base fine’ (used as starting point) for breach of article 32 GDPR is set at EUR 310,000. This base fine can be subsequently increased or decreased based on a number of factors. In this case the AP specifically takes into account:

  • the nature, seriousness and duration of the infringement. The AP emphasises that the security breach is ongoing and structural. Moreover, the AP underlines that the hospital was aware of the security breach since it became aware of the incident relating the medical records of the reality-star, but failed to implement measures to prevent such future incidents. Therefore, and taking into account the amount of data subjects and types of personal data, the AP increases the fine with EUR 75,000;
  • the intentional or negligent nature of the infringement. The AP takes into account that the hospital did not take adequate security measures regarding two-factor authentication and control of logs, whilst the hospital was fully aware that such measures were required (which also followed from its own research report following the incident). The argument made by the hospital that it had insufficient resources and time to implement such measures is deemed irrelevant, as limited resources and time cannot legitimise a breach of the GDPR. Consequently, the AP increases the fine with another EUR 75,000;
  • the measures taken by the hospital to mitigate the damages. However, the measures taken by the hospital (including creating awareness under employees) do not result in an decrease of the fine, as the measures relating to the protection of patient records must be viewed in its entirety; and
  • the categories of personal data. The AP emphasises that the categories of personal data is already taken into account under ‘the nature, seriousness and duration of the infringement’ and therefore on its own does not result in an increase of the fine.

Order subject to a penalty

As the security breaches are ongoing, the hospital also received an order subject to a penalty, which intends to ensure that the hospital improves its security measures within the next 15 weeks. In this respect the hospital must ensure that:

  • access to medical files is only possible through two-factor authentication; and
  • log files are regularly reviewed for unauthorised access or use of medical records.

You can find the Dutch version of the fining decision here.