The HagaZiekenhuis does not have the internal security of patient records in order. This emerged from an investigation by the Autoriteit Persoonsgegevens (AP). This investigation followed when it emerged that dozens of employees of the hospital had unnecessarily accessed the medical records of a Dutch celebrity. The AP imposed a fine of 460,000 euros on the HagaZiekenhuis for the insufficient security.
To force the hospital to improve the security of patient records, the AP is simultaneously imposing an order for periodic penalty payments on the Haga Hospital. If the HagaZiekenhuis has not improved security by October 2, 2019, the hospital must pay 100,000 euros every two weeks, with a maximum of 300,000 euros. The HagaZiekenhuis has since indicated it will take measures.
Aleid Wolfsen, chairman of the AP: 'The AP finds it a serious matter that a hospital does not have the internal security of patient records in order. A firm fine is appropriate for this. The relationship between a healthcare provider and a patient should be completely confidential. Even within the walls of a hospital. It doesn't matter who you are.'
A hospital must take all technical and organizational measures to ensure that patient data is secure. The HagaZiekenhuis has inadequate security measures in two areas:
The hospital should regularly monitor who is consulting which file. In this way, the hospital can signal in time when someone unauthorized nevertheless consults a file and take action against it;
Good security involves authentication that involves at least two factors. For example, a user's identity to access a patient record is then established with a code or password in combination with a staff pass.
The AP's decision is still subject to appeal.
Appendix: Research access digital patient file HagaZiekenhuis
Attachment: fine decision HagaZiekenhuis
This news item can also be found in the Privacy in Healthcare and Information Security dossier
