On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

In particular, the Dutch DPA found that the hospital had not implemented appropriate security measures to prevent unnecessary access to patients’ records: the Dutch DPA found that the hospital had failed to (1) implement appropriate access controls, and (2) use an access system requiring at least two-factor authentication (i.e., the identity of a user must be verified using a combination of a password and a staff pass).

In addition to the fine, the Dutch DPA imposed a penalty of €100,000, due every two weeks with a maximum of €300,000, if the hospital does not remediate the situation and implement appropriate security measures by October 2, 2019.

The hospital can still appeal the Dutch DPA’s decision.

Read the press release, the decision and the investigation report, only available in Dutch.