Dutch Data Protection Authority Issues First GDPR Fine
The fine, against a large hospital, stems from its apparent lack of internal patient record security.
Netherland's data protection authority, the Dutch Data Protection Authority, piled on the recent rash of General Data Protection Regulation fines last week, issuing a fine to a hospital there for failing to secure its medical log files. It was the first fine imposed by the DPA since GDPR went into effect in May, 2018.
The DPA fined HagaZiekenhuis, the largest hospital in The Hague region, EUR 460,000, roughly $513,647, for insufficient internal security of patient records, on July 16.
The hospital, also known as The Haga, is one of nineteen large teaching hospitals in the Netherlands.
According to the DPA, the hospital didn't have the appropriate controls set up to safeguard their patients. The incident apparently came to light in 2018 after a well-known Dutch person stayed at the hospital and "dozens of hospital staff," nearly 100, were caught snooping in the person's medical records.
According to the DPA, at least two of the Haga's security measures fell short of sufficient. The hospital didn't have a way to alert administrators if an unauthorized employee was viewing a file they weren't supposed to. Without a way to flag the access in real time, there was no way to take action against the malfeasance, the DPA said. Second, the database lacked two factor authentication, something which could have verified the identity of a user with legitimate access to the patient file, then let him or her access it with a code or password.
In the eyes of the DPA, the hospital violated Article 32 (1) of GDPR, which stipulates the controller and the processor “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
While the hospital has indicated that it will take the necessary measures, if it doesn't improve its security by October 2, the DPA will ask it to pay 100,000 Euros every two weeks, with a maximum of 300,000 Euro.
While it violates HIPAA, viewing the medical records of a celebrity can be enticing for employees at hospitals. In America, several employees at Northwestern Memorial Hospital in Chicago were purportedly let go after accessing health records belonging to Jussie Smollett, an actor who was a patient there following an alleged attack earlier this year.
By deploying a strict data loss prevention solution, hospitals and healthcare facilities alike can prevent inappropriate access while safeguarding Protected Health Information (PHI).