Authorities in the Netherlands recently levied a €460,000 ($516,000) fine under the General Data Protection Regulation against a hospital in the Hague in connection with a data breach involving “dozens” of staffers who snooped on the electronic medical records of a celebrity.
The Dutch Supervisory Authority – or Authoriteit Persoonsgegevens – says it fined Haga Hospital in the Hague after a 2018 data breach involving workers who inappropriately accessed the medical records of “a well-known Dutch person.”
The news site Dutch News reports the data incident involved the records of a reality TV star, Samantha de Jong – known as “Barbie” – who was hospitalized at Haga Hospital last year.
Security Controls Lacking
The Haga Hospital “does not have the internal security of patient records in order,” the Dutch data protection agency says in its statement.
An investigation by the agency found that Haga Hospital “has not met and does not meet the requirement of two-factor authentication and regular review of log files,” the statement says.
As a result, the hospital has taken “insufficient appropriate measures” that are called for under GDPR, the statement says.
In addition to levying the fine for insufficient security, the agency says it will issue other fines if the hospital if it does not improve its security practices.
“To force the hospital to improve the security of patient records, the AP simultaneously imposes an order subject to a penalty. If the Haga Hospital has not improved security before Oct. 2, the hospital must pay 100,000 euros every two weeks, with a maximum of 300,000 euros,” the statement says.
Haga Hospital has indicated it will take measures to bolster its security, the Dutch authority notes.
Portuguese Hospital Fined Earlier
Back in January, it was revealed that authorities in Portugal fined Centro Hospitalar Barreiro Montijo €400,000 ($458,000) for three violations of GDPR.
The Portuguese hospital’s GDPR infractions included allowing indiscriminate access to patient’s clinical information to an excessive number of users, failing to apply technical and organizational measures to prevent unlawful access to personal data and failing to implement technical and organizational measures to ensure an adequate level of security, according to a report about the enforcement case by the International Association of Privacy Professionals.
Date: July 20, 2019
Source: Healthcare Info Security