The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Dutch Data Protection Authority Issues First GDPR Fine

by Chris Brook on Thursday July 25, 2019

Contact Us
Free Demo

The fine, against a large hospital, stems from its apparent lack of internal patient record security.

Netherland's data protection authority, the Dutch Data Protection Authority, piled on the recent rash of General Data Protection Regulation fines last week, issuing a fine to a hospital there for failing to secure its medical log files. It was the first fine imposed by the DPA since GDPR went into effect in May, 2018.

The DPA fined HagaZiekenhuis, the largest hospital in The Hague region, EUR 460,000, roughly $513,647, for insufficient internal security of patient records, on July 16.

The hospital, also known as The Haga, is one of nineteen large teaching hospitals in the Netherlands.

According to the DPA, the hospital didn't have the appropriate controls set up to safeguard their patients. The incident apparently came to light in 2018 after a well-known Dutch person stayed at the hospital and "dozens of hospital staff," nearly 100, were caught snooping in the person's medical records.

According to the DPA, at least two of the Haga's security measures fell short of sufficient. The hospital didn't have a way to alert administrators if an unauthorized employee was viewing a file they weren't supposed to. Without a way to flag the access in real time, there was no way to take action against the malfeasance, the DPA said. Second, the database lacked two factor authentication, something which could have verified the identity of a user with legitimate access to the patient file, then let him or her access it with a code or password.

In the eyes of the DPA, the hospital violated Article 32 (1) of GDPR, which stipulates the controller and the processor “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

While the hospital has indicated that it will take the necessary measures, if it doesn't improve its security by October 2, the DPA will ask it to pay 100,000 Euros every two weeks, with a maximum of 300,000 Euro.

While it violates HIPAA, viewing the medical records of a celebrity can be enticing for employees at hospitals. In America, several employees at Northwestern Memorial Hospital in Chicago were purportedly let go after accessing health records belonging to Jussie Smollett, an actor who was a patient there following an alleged attack earlier this year.

By deploying a strict data loss prevention solution, hospitals and healthcare facilities alike can prevent inappropriate access while safeguarding Protected Health Information (PHI).

Tags: Healthcare, GDPR

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.