Background

The Dutch Data Protection Authority imposed an administrative fine of
EUR 460,000 on Haga Hospital in The Hague on 18 June 2019 (published 16 July 2019) (link in Dutch). It is the first fine imposed in the Netherlands for a violation of the General Data Protection Regulation (GDPR).

The hospital is facing this fine because it did not sufficiently secure its medical log files. Several dozen hospital employees (approximately 85) had unnecessary access to a specific medical file. This medical file belonged to a famous Dutch reality star whose hospital admittance received a lot of media attention in the Netherlands in 2018. A whistleblower published about the unlawful access to the medical file through the website Publeaks, eventually leading to an investigation by the Dutch Data Protection Authority.

Data breach

The breach lies in the fact that the hospital did not meet the requirement to have a two-factor authentication process in place to protect the medical files. Furthermore, the medical log files were not evaluated regularly. This omission resulted in a breach of article 32(1) of the GDPR, according to the Dutch Data Protection Authority. This article requires data controllers and processors to implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The Dutch Data Protection Authority applied the 2019 Dutch fining policy rules to determine the EUR 460,000 fine amount.

The Dutch Data Protection Authority has also imposed an order on the hospital, subject to penalty, that aims to cure this continuing GDPR breach. If the infringement is not fixed within 15 weeks, the hospital will incur an additional penalty of EUR 100,000 per two weeks with a maximum amount of EUR 300,000.

First Dutch fine under GDPR

Although some consider an earlier fine issued to a transportation network company on 6 November 2018 of
EUR 600,000 for a data breach as the “first Dutch GDPR fine”, (link in Dutch) the fine issued to the hospital is the first fine imposed solely under the GDPR by the Dutch Data Protection Authority and also not under the GDPR’s statutory predecessor (which was the case with the transportation network’s fine).

The hospital has already stated that it plans to appeal the height of the fine.

For more on the data protection and the Netherlands, click here.