According to the news report, the first GDPR-fine does not come as a surprise, as in December 2018, the Dutch DPA already announced that it would focus its enforcement actions on the public and health sector. Prior to imposing the fine, the Dutch DPA initiated an investigation after 197 employees at the hospital had accessed the medical records of a Dutch celebrity. During its investigation, the Dutch DPA checked whether to hospital’s information security systems met the security requirements of Article 32 GDPR and,other specific health care sector security standards. 

The Dutch DPA, says the report, concluded that the Haga Hospital had taken insufficient security measures with respect to authentication and the control of logging, which constitutes a breach of Article 32 of the GDPR. With respect to authentication, the hospital did not have two-factor authentication in place when it comes to patient records. With only doing a random security sheck of six patient records a year, the Dutch DPA mentions that the hospital did not meet the requirement of systematic, risk-oriented or intelligent control, in particular considering the scale of data processing by the hospital.

The Dutch DPA concluded that that logging control must be systematic and consistent, says the report.