FINE OF  EUR 460,000 on Dutch Hospital – HAGAZIEKENHUIS for breach of data protection!

The hospital apparently did not have enough internal controls. The incident apparently came to light when a VIP Dutch person went there and ‘dozens of hospital staff’, nearly 100, were caught snooping in the persons records.

According to the DPA, at least two of the Haga’s security measures fell short of sufficient. The hospital didn’t have a way to alert administrators if an unauthorized employee was viewing a file they weren’t supposed to. Without a way to flag the access in real time, there was no way to take action against the malfeasance, the DPA said. Second, the database lacked two factor authentication, something which could have verified the identity of a user with legitimate access to the patient file, then let him or her access it with a code or password.

In addition to the fine, the regulator imposed a penalty of €100,000, due every two weeks with a maximum of €300,000, if the hospital does not remediate the situation and implement appropriate security measures by 2nd October 2019. The hospital can still appeal the decision.

Source:https://digitalguardian.com/blog/dutch-data-protection-authority-issues-first-gdpr-fine