Vaccination data of 700 patients shared with RIVM without consent

Permission to record vaccination data

The RIVM records the data of vaccinees if they give permission. When making an appointment for vaccination, people are asked whether data may be shared with the RIVM. A database stores the citizen service number, date of birth, name, address, reason for vaccination (such as occupation or age), date and place of vaccination, vaccine name and serial number. The RIVM keeps this vaccination data for up to 20 years. The data of people who do not consent to registration of vaccination data are made anonymous.

The registration of personal data is used to determine, for example, how many people in the Netherlands are vaccinated. The data are also used to measure the effectiveness of the vaccination program.

Data breach at software developer

The data breach occurred due to a software error in the system used by general practitioners to transmit vaccination data. Personal data of 700 vaccinees were shared with RIVM without permission. 500 people had expressly indicated that their information should not be shared. Of the remaining 200 patients, it is not known whether they gave consent.

The developer of the system confirmed the data leak to BNR. The developer let it be known that it was a temporary software error and that the problem has since been fixed. It went wrong at 70 GP practices.

The RIVM also confirms that they received personal data wrongfully. A RIVM spokesperson told BNR that this happens more often. The data breach was reported to the Autoriteit Persoonsgegevens and the data that had been sent in error have since been removed from the vaccination database.

Also data breach GGD?

In addition to general practitioners, the GGD also shares vaccination data with RIVM. The GGD is not yet aware of any cases in which vaccination data has been shared with people who have not given their consent. A spokesperson told BNR that it cannot be excluded that a similar data leak could also occur at the GGD.