First GDPR Data Breach Fine Imposed in The Netherlands
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000 or $515,936. The fine was imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records.
Accompanied with the fine is a cease and desist order: If the hospital has not improved its security of patient records before October 2, 2019, it must pay another EUR 100,000 or $100,000 every two weeks, with a maximum of EUR 300.000 or $336k. The Dutch DPA proved that heathcare industry must take all technical and organizational measures to ensure that patient information is secure.