General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Patient Record Snooping Incident Leads to GDPR Fine

Hospital in The Netherlands Slapped With Fine; May Face Additional Penalties
Patient Record Snooping Incident Leads to GDPR Fine
Authorities in the Netherlands have smacked Haga Hospital with a GDPR fine.

Authorities in the Netherlands recently levied a €460,000 ($516,000) fine under the General Data Protection Regulation against a hospital in the Hague in connection with a data breach involving “dozens” of staffers who snooped on the electronic medical records of a celebrity.

See Also: OnDemand | Protect and Govern Sensitive Data

The Dutch Supervisory Authority - or Authoriteit Persoonsgegevens – says it fined Haga Hospital in the Hague after a 2018 data breach involving workers who inappropriately accessed the medical records of “a well-known Dutch person.”

The news site Dutch News reports the data incident involved the records of a reality TV star, Samantha de Jong - known as “Barbie” – who was hospitalized at Haga Hospital last year.

Security Controls Lacking

The Haga Hospital “does not have the internal security of patient records in order,” the Dutch data protection agency says in its statement.

An investigation by the agency found that Haga Hospital “has not met and does not meet the requirement of two-factor authentication and regular review of log files,” the statement says.

As a result, the hospital has taken “insufficient appropriate measures” that are called for under GDPR, the statement says.

In addition to levying the fine for insufficient security, the agency says it will issue other fines if the hospital if it does not improve its security practices.

”To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before Oct. 2, the hospital must pay 100,000 euros every two weeks, with a maximum of 300,000 euros,” the statement says.

Haga Hospital has indicated it will take measures to bolster its security, the Dutch authority notes.

Portuguese Hospital Fined Earlier

Back in January, it was revealed that authorities in Portugal fined Centro Hospitalar Barreiro Montijo €400,000 ($458,000) for three violations of GDPR (see GDPR Compliance: Tougher Than HIPAA Compliance?).

"Access controls, policies and procedures, and sanctions regarding impermissible uses of PHI are some of the most important tools in the healthcare entity tool chest when it comes to employee snooping."
—Iliana Peters, Polsinelli

The Portuguese hospital's GDPR infractions included allowing indiscriminate access to patient's clinical information to an excessive number of users, failing to apply technical and organizational measures to prevent unlawful access to personal data and failing to implement technical and organizational measures to ensure an adequate level of security, according to a report about the enforcement case by the International Association of Privacy Professionals.

Similar Issues

The GDPR case against the hospital in the Netherlands has some similarities to the Portugal case, says attorney Elizabeth Harding, of the law firm Polsinelli.

“It is interesting that, again, this [Netherlands] fine does not relate to an external hacking type of security incident, but rather a failure to secure access to data at the system level,” she says.

”This is a similar situation to that of Centro Hospitalar Barreiro Montijo, which was fined last year for, among other things, failure to put in place appropriate access controls. Both of these cases highlight the need to review system access to ensure that access is limited to personnel with a genuine need to know, put in place appropriate internal policies and procedures to enforce those access controls and offer training to ensure that personnel understand why they are in place and the implications of breaching them.”

Common Problems

Medical record snooping cases – along the lines of the Netherlands incident - have also been a problem in the U.S.

For instance, UCLA Health System in 2011 entered a resolution agreement with the U.S. Department of Health and Human Services as a result of a record snooping incident. The hospital paid a $865,500 penalty and agreed to a corrective action plan aimed at improving its HIPAA compliance.

Two celebrity patients alleged that UCLA employees repeatedly viewed their electronic protected health information, as well as those of other patients, without permission.

”Access controls, policies and procedures, and sanctions regarding impermissible uses of PHI are some of the most important tools in the healthcare entity tool chest when it comes to employee snooping,” says privacy attorney Iliana Peters of the law firm Polsinelli, who is a former official at the U.S. Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA.

“Employees only comply with policies, procedures and legal requirements if they know there will be consequences if they don’t, so sanctions must be applied fairly across the enterprise and immediately upon discovery of infractions,” she says.

GDPR Fines in the News

Earlier this month, Britain's data protection authority, the Information Commissioner's Office, announced a proposed fine of €184 million ($230 million) against British Airways after breaches last September and October enabled attackers to route customers to a fraudulent site, exposing 500,000 customers' personal details.

The ICO also confirmed a proposed fine of £99 million ($125 million) against Marriott International for its failure to stop a four-year breach that globally exposed approximately 339 million customer records.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.