Dutch DPA fines OLVG hospital for inadequate protection of medical records 

11 February 2021

The Dutch Data Protection Authority (DPA) has imposed a fine of €440,000 on the Amsterdam-based hospital OLVG for its inadequate protection of patients’ medical records. Between 2018 and 2020 OLVG did not have sufficient safeguards in place to prevent unauthorised access to the records. It did not carry out proper checks of who accessed which records, and there were shortcomings in information systems security. In response to the DPA’s investigation OLVG has made the required improvements.

‘You should be able to count on whatever you discuss with your doctor staying confidential,’ DPA deputy chair Monique Verdier said. ‘It doesn’t bear thinking about that people who have no business doing so could look at your doctor’s notes and pry into your state of health and personal details. Patients have the right to expect that staff members will only access their medical records if it is necessary for the patient’s treatment. OLVG’s security measures couldn’t guarantee that. That’s a serious breach and that’s why the DPA has imposed this fine.’

Besides medical information, patient records also contain personal data like citizen service numbers, addresses and phone numbers. These types of data must also be properly secured to avoid risks like identity fraud and phishing.

Two violations

The DPA launched its investigation after a tip from a concerned member of the public, reports in the media and two notifications of data breaches by OLVG about work placement students and other staff accessing medical records even though it was not necessary for their work. After its investigation, the DPA concluded that there are structural shortcomings in the way OLVG secures access to medical records. Specifically, it found two violations of data protection law:

  • Every time a staff member accesses medical records, these details must be recorded in a log. In addition, the hospital must review this access log regularly, so that it can take timely steps if it finds that someone has accessed a record when they are not actually authorised to do so. OLVG did have an automated procedure that logged who accessed which files, but it did not review the logs often enough to check for cases of unauthorised access.
  • Good security requires two-factor authentication to establish the identity of a user who wants access to a patient record. Examples are a code or password in combination with a personnel badge. OLVG did not require two-factor authentication when access was requested from inside the hospital. Access from a location outside the hospital was secured with two-factor authentication.

‘It’s crucial to protect patient data’

‘The healthcare sector has consistently been in the top 3 sectors with the most data breaches in the past few years. And we’re talking about a sector that stores a lot of highly sensitive personal data,’ Ms Verdier said. ‘Protecting patient data is crucial. Patients share a lot of information with healthcare providers – and it’s vital that they do so, perhaps now more than ever because of COVID-19. But that means people have to be able to have confidence that their data is safe. So we’re asking hospitals and other healthcare providers to take a good look at how they protect their patient data and take steps to improve this where necessary.’ Healthcare providers can find more information about adequately protecting personal data on the DPA’s website.

Security improved

OLVG improved its systems security during the DPA’s investigation. The hospital introduced a structural procedure for reviewing access logs, as well as two-factor authentication for access to medical records from inside the hospital.

OLVG will not lodge an objection or appeal against the decision of the DPA to impose a fine.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.