The Authoriteit Persoonsgegevens (AP) – the Netherlands Data Protection Authority, has imposed its first substantial fine amounting to 460,000 Euros. Almost half a million Euros charged for the insufficient internal security afforded to patient records by Haga Hospital located in The Hague. This follows the Authoriteit Persoonsgegevens ’s agenda of data protection enforcement within the public and health sector.
This case emerged when a famed Dutch media and television personality, was admitted to hospital. Medical data was viewed by a significant number of unauthorized members of staff. This prompted an investigation by the Authoriteit Persoonsgegevens , into the hospital’s meager data protection standards against the requirements of Article 32 GDPR.
As evident through Carle van de Wiel’s comments, the hospital chairman, the hospital’s reaction is negative, criticizing the fine for its implications in inhibiting medical advancement in the hospital due to imposed financial limitations. Van de Wiel also expressed the hospital’s intention to appeal the fine.
In addition, the Authoriteit Persoonsgegevens has also imposed a provisional fine to take effect should the disparity not be offset by the 2nd of October. Failure of meeting the privacy standards envisaged in Article 32 of the GDPR could potentially incur additional fees of 100,000 Euros weekly, to a maximum capping of 300,000 Euros. In attempt to affect such counteraction, the hospital gave an official warning to the 85 members of staff whose unnecessary and unauthorized access of the aforementioned celebrity’s data led to the discovery of the breach.
The Dutch DPA’s chairman, Aleid Wolfsen, commented on the case, conveying his apprehension caused by the sub-standard level of data security when compared to that which was expected by the GDPR. For instance, no technical measures, including access limitations and authentication, were enforced, leading to the ability of every healthcare professional to access all medical documents and profiles of patients. Wolfsen also highlighted the essential notion of the GDPR which was targeted throughout this case, this being that each individual is entitled to the same level of data protection and privacy, regardless of identity or traits of characterization. He also underlined the increased implications of the breach caused by the patient-hospital confidentiality.
The ramifications of this breach stretch wider than the stricter privacy enforcement within the hospital. In fact, many are associating this breach with the potential hazards a national digital medical record system would have had if the proposed system was not rescinded back in 2011. It also reflects the increased significance of adequate data security afforded to patient records, falling within the bracket of special category of personal data.