The first GDPR data breach fine has been issued by Authoriteit Persoonsgegevens, the GDPR data protection authority in the Netherlands, to Haga Hospital in the Hague. The hospital is to pay a GDPR fine of €460,000 or $516,000 for the its security failures that caused a privacy breach in 2018.
The EU’s General Data Protection Regulation requires all entities that collect or process EU citizens’ personal information to have sufficient security measures to maintain the privacy and confidentiality of all information. In the event of a data breach, the proper data protection authority must be notified within 72 hours and a breach investigation should follow.
Regarding the Haga Hospital breach, the records of only one patient were involved. The Dutch patient was very popular and several hospital employees accessed her records without authorization. A Dutch News site identified the patient as Samantha de Jong, also called ‘Barbie.’
The GDPR investigation revealed a number of security failures committed by the hospital which include: the lack of internal security controls to protect patient files, no two-factor authentication system in place, and not monitoring log files on a regular basis to identify unauthorized data access. Not having the appropriate security measures to protect the personal data of consumers is a violation of the GDPR requirements and must be penalized.
Haga hospital is currently subject to monitoring to check the upgrade of its security. Authoriteit Persoonsgegevens will issue further penalties if there is no security improvement as demanded by the GDPR on or before October 2, 2019. A penalty of €100,000 to as high as €300,000 per two weeks may be issued. Haga Hospital agreed to implement more security measures to fortify its security posture.
The Portuguese data protection authority issued a similar fine worth €400,000 last year. Centro Hospitalar Barreiro Montijo in Portugal also commited security failures that led to the unauthorized access of its private records within the hospital.