Haga Hospital fined for failing to adequately protect patient records
Haga Hospital does not have adequate safeguards in place to protect patient records, an investigation by the Dutch Data Protection Authority (DPA) has found. The investigation was initiated after it emerged that dozens of hospital staff had viewed the medical files of a Dutch celebrity. The DPA is fining Haga Hospital €460,000 for failing to adequately protect its data.
The DPA is also imposing an order subject to penalty in order to compel the hospital to improve the security of its patient records. As of 2 October 2019, the hospital will be liable to pay €100,000 for every two weeks that its data projection is not improved, up to a maximum of €300,000. Haga Hospital has stated that it is taking appropriate measures.
Update March 2021
The Hague District Court has reduced the amount of the fine imposed on Haga Hospital to €350,000. This judgment is final. The hospital had lodged an objection to both the original fine and the order subject to penalty. The DPA declared this objection unfounded. The hospital then applied to the district court for judicial review of the decision.
Following a check, the DPA concluded in December 2019 that Haga Hospital had taken adequate measures to improve the security of patient records. The hospital is thus in compliance with the order subject to penalty.
Doctor-patient confidentiality
In the words of DPA chair Aleid Wolfsen, "The DPA deplores the fact that a hospital does not have adequate protections in place for its patient records. This warrants a heavy fine. The relationship between caregiver and patient must be completely confidential, including within the walls of a hospital. It doesn’t matter who you are."
Protecting patient records
Hospitals must take all possible technical and organisational measures to ensure that patient data is safe. Haga Hospital was remiss in this regard in 2 ways:
- It failed to regularly monitor who was consulting which records. Proper monitoring would ensure prompt flagging of unauthorised access to records and enable appropriate action.
- It did not use two-factor authentication. This is a system in which a code or a password is linked to a staff pass, for example, to establish the identify of a user seeking access to patient records.