Netherlands Haga Hospital Issued a €460,000 GDPR Data Breach Penalty

Authoriteit Persoonsgegevens, the Netherlands’ GDPR data protection authority, issued to Haga Hospital in the Hague its very first GDPR data breach fine. The GDPR fine amounted to €460,000 or $516,000, which is to pay for the hospital’s security failures that led to its 2018 privacy breach.

The EU’s General Data Protection Regulation expects all organizations that gather or process the personal information of EU citizens to have adequate security measures to keep all information private and confidential. In case of a data breach, an entity must notify the appropriate data protection authority within 72 hours. After which, an investigation of the breach will be underway.

In the case of Haga Hospital, there was only one patient’s records were involved in the breach. But she was a very popular Dutch person. A number of hospital employees viewed the patient’s records without authorization. A Dutch News website reported that Samantha de Jong, who is also called ‘Barbie,’ was the patient.

The GDPR investigation showed several security failures of the hospital including: the inadequate internal security controls for patient files, no implementation of two-factor authentication, and not reviewing log files regularly to tag unauthorized access of data. Not having the proper security measures to secure consumer personal information violates the GDPR requirements and calls for the issuance of a fine.

Haga hospital is now under monitoring to ensure that its security is upgraded. Additional penalties will be issued if no improvement is done to its security as required by the GDPR until October 2, 2019. The penalty will start at €100,000 per two weeks up to as high as €300,000. Haga Hospital made a commitment to have more security measures to boost its security posture.

There was a similar fine amounting to €400,000 issued last year by the Portuguese data protection authority. Centro Hospitalar Barreiro Montijo in Portugal likewise failed to protect its private records from unauthorized access within the hospital.