Orthodontic practice fined for unsecured patient website

Themes:
Security of personal data
Using and sharing health data
Citizen Service Number (BSN)

The Dutch Data Protection Authority (DPA) has imposed a €12,000 fine on an orthodontic practice for allowing new patients to register on an unsecured website. As a result, patients’ sensitive personal data, such as their citizen service number, could have fallen into the wrong hands.

‘When you register with an orthodontist, you entrust your personal data to them,’ explained DPA deputy chair Monique Verdier. ‘This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.’

Complaint about a privacy violation

The orthodontic practice’s unsecured website came to the DPA’s attention when a complaint was lodged. The DPA decided to investigate because the complaint concerned poor security in the healthcare sector, where data protection requirements are very strict.

The web form that new patients used to register contained mandatory fields requiring all kinds of personal data, as well as data concerning the patient’s parents, general practitioner, dentist and insurance company.

The information that patients provided on the form was then sent to the orthodontic practice over an unencrypted – and therefore unsecure – connection.

Extra protection for children

Most orthodontic patients are children, and this case concerned the personal data of mainly children. Children are considered an especially vulnerable group in privacy legislation and as such they are given extra protection under the law to prevent abuse of their personal data.

Sensitive information

‘You must be able to assume that your care providers not only protect the confidentiality of your personal data, but also that they take the protection of your data very seriously and have appropriate security in place,’ said Monique Verdier.

‘Unfortunately, that is not always the case. If the confidentiality of sensitive personal data is breached, this could put people at serious risk. It could, for example, lead to fraud.’

Further procedure

The DPA’s decision to impose the fine is not yet final and irrevocable. The orthodontic practice lodged an objection to the fine. The DPA declared the objection unfounded. The practice can submit an application for judicial review of that decision to the district court.

""

Publications