The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000 or $515,936. The fine was imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records.

Accompanied with the fine is a cease and desist order: If the hospital has not improved its security of patient records before October 2, 2019, it must pay another EUR 100,000 or $100,000 every two weeks, with a maximum of EUR 300.000 or $336k. The Dutch DPA proved that heathcare industry must take all technical and organizational measures to ensure that patient information is secure.

According to the news report, the first GDPR-fine does not come as a surprise, as in December 2018, the Dutch DPA already announced that it would focus its enforcement actions on the public and health sector. Prior to imposing the fine, the Dutch DPA initiated an investigation after 197 employees at the hospital had accessed the medical records of a Dutch celebrity. During its investigation, the Dutch DPA checked whether to hospital’s information security systems met the security requirements of Article 32 GDPR and,other specific health care sector security standards. 

The Dutch DPA, says the report, concluded that the Haga Hospital had taken insufficient security measures with respect to authentication and the control of logging, which constitutes a breach of Article 32 of the GDPR. With respect to authentication, the hospital did not have two-factor authentication in place when it comes to patient records. With only doing a random security sheck of six patient records a year, the Dutch DPA mentions that the hospital did not meet the requirement of systematic, risk-oriented or intelligent control, in particular considering the scale of data processing by the hospital.

The Dutch DPA concluded that that logging control must be systematic and consistent, says the report.