A hospital in The Hague was fined € 460,000 for violating the GDPR (General Data Protection Regulation). According to the Dutch supervisory authority Autoriteit Persoonsgegevens, the offence occurred back in 2018.
Hospital Staff Gained Access to Data of Prominent Patient
The incident occurred while famous reality TV star Samantha de Jong was a patient at Haga Hospital. Staff members gained access to de Jong’s patient records. A statement by the Dutch data protection authority explained that the clinic does not have adequate internal security measures in place to sufficiently protect patient records from unauthorized access.
Some of the GDPR’s major requirements, such as two-factor authentication and regular log file reviews, were not fulfilled. The security authority announced that further fines would be imposed if the hospital did not improve its safety precautions by October 2nd, 2019.
IT Security Flaws in Hospitals: More Common Than You Think
Unfortunately, this offence is not an exception in the healthcare sector: In December 2018, it was made public that Portuguese authorities had imposed a fine of € 400,000 on Barreiro Montijo hospital for violating the GDPR. In this incident, various staff members were able to gain unauthorized access to clinical patient records because the clinic had not taken any technical or organizational precautions to prevent internal data misuse.
In both cases, access to the system should have been limited to allow only persons to access patient data who actually need it for medical purposes.
Access Rights Management Provides Protection Against Data Theft and Abuse
These incidents, both in Portugal and in the Netherlands, could have been prevented had the hospitals implemented an adequate access rights management software. With tenfold, you can be sure that the appropriate access rights will be in place to protect confidential data from unauthorized access. Make sure only those people have access to data who actually need it to do their jobs. This way, your data will not be compromised due to falsely set access rights!