Haga Hospital fined for failing to adequately protect patient records

Security of personal data

Haga Hospital does not have adequate safeguards in place to protect patient records, an investigation by the Dutch Data Protection Authority (DPA) has found. The investigation was initiated after it emerged that dozens of hospital staff had viewed the medical files of a Dutch celebrity. The DPA is fining Haga Hospital €460,000 for failing to adequately protect its data.

The DPA is also imposing an order subject to penalty in order to compel the hospital to improve the security of its patient records. As of 2 October 2019, the hospital will be liable to pay €100,000 for every two weeks that its data projection is not improved, up to a maximum of €300,000. Haga Hospital has stated that it is taking appropriate measures.

Doctor-patient confidentiality

In the words of DPA chair Aleid Wolfsen, "The DPA deplores the fact that a hospital does not have adequate protections in place for its patient records. This warrants a heavy fine. The relationship between caregiver and patient must be completely confidential, including within the walls of a hospital. It doesn’t matter who you are."

Protecting patient records

Hospitals must take all possible technical and organisational measures to ensure that patient data is safe. Haga Hospital was remiss in this regard in 2 ways:

  1. It failed to regularly monitor who was consulting which records. Proper monitoring would ensure prompt flagging of unauthorised access to records and enable appropriate action.
  2. It did not use two-factor authentication. This is a system in which a code or a password is linked to a staff pass, for example, to establish the identify of a user seeking access to patient records.