Fine of 440.000 EUR imposed by Autoriteitspersoonsgegevens on Dutch Hospital.

Back in the lovely Spring of 2019, the Autoriteitspersoongegevens (‘AP’) started investigations against the Onze Lieve Vrouwen Gasthuis (‘OLVG’). The OLVG is an educational hospital that has two locations in Amsterdam and holds more than 550.000 patients on an annual basis.

After the AP got notified by the OLVG itself, it sent a letter entailing questions to the OLVG which were answered by the OLVG in May 2019. Subsequently, at the end of May, five supervisors of the AP started an onsite investigation at one of the locations in Amsterdam.

The AP concluded that the OLVG did not implement sufficient Technical and Organizational measures and therefore breached article 32 paragraph 1 GDPR for two reasons:

  • The hospital was not using two-factor authorization for the logging-in to their system; and
  • The hospital did not impose enough measures to prevent unauthorized access into medical files.

Regarding to the second reason, the AP found that although the hospital automatically kept track of who had access to which medical file, it did not essentially check whether unauthorized people had access to medical files. In fact, the AP established that unauthorized employees and working students had access into medical files.  Accordingly, the AP concluded that the OLVG did not implement appropriate technical and organizational measures until 22nd May 2019.

In coming to the height of the fine, the AP considers the nature, the severity and the duration of the breach. The AP found it important that the personal data involved contains a variety of very sensitive data relating to thousands of patients and that the insufficient security lasted for a considerably long time. Therefore, the AP increased the standard amount of the fine of 80.000 to 390.000 EUR. Moreover, the AP finds the OLVG’s culpability a relevant factor. The fact that the OLVG did not comply to its own internal policy, made the AP to increase the fine with an additional 50.000 EUR, resulting in an ultimate fine of 440.000 EUR.

Two interesting take-aways can be given to the reader of this blog-article.

As shortly noted above, something the Dutch DPA found relevant in this case was that the hospital had adopted an internal policy which enshrined that all activities of users, systems and information security events should recorded in log-in files, and that incidental and random checks should be conducted. The Dutch DPA however found that the hospital had carried out few random checks and therefore did not comply with its own logging policy. The DPA took this into account when establishing the height of the fine. It is therefore very advisable for our clients that they include realistic objectives in their policy that actually can be met.

Secondly, the hospital did not go into appeal. The reasons for this obviously could be multiple, one being to prevent reputational damage. However, it seems as if the Dutch DPA is following a common trend. This case shows significant commonalities with a previous fine the Dutch DPA imposed on another hospital in 2019. This hospital, indeed, did not have a the two-factor authorization put in place and did not prevent unauthorized employees of having access to medical files. Also, the AP has immediately requested clarification from the GGD as it has been engaging in the large-scale sale of personal data of millions of Dutch people, originating from the 2 main corona systems of the GGD. Thus, companies operating in this industry should be extra attentive.