OLVG hospital fined for inadequate security of medical records
The Personal Data Authority (AP) is imposing a fine of 440,000 euros on the Amsterdam hospital OLVG. The hospital had taken too few measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. This was due to insufficient control over who viewed which file and inadequate security of computer systems. Following the AP's investigation, the OLVG implemented the required improvements.
Personal Data Authority February 11, 2021
'You have to be able to trust that what you discuss with the doctor stays in the consulting room,' says AP vice president Monique Verdier. 'You shouldn't think that people, who have no business there at all, can just poke around in the doctor's notes about you and your illness. Patients must be able to assume that employees will only see medical records if it is necessary for their treatment. The OLVG took too few security measures to ensure this. That is serious and that is why the AP is now imposing this fine on the OLVG.
In addition to medical data, the files contain information such as citizen service numbers, addresses and telephone numbers. This data must also be well protected, because of the risks of, for example, identity fraud and phishing.
Two violations
The AP launched the investigation after a tip from a concerned citizen, signals from the media and two data breach reports from the OLVG, about work-study students and other employees accessing medical records without being required for their work. The AP concluded after its investigation that the OLVG did not structurally handle access to medical records properly. The AP saw two violations:
- The hospital must keep track and regularly monitor who consults which file. In this way the hospital can identify in time when someone consults a file while it is not allowed and take measures against this. The OLVG did keep automatic records of which employee consulted which medical file and when (logging), but did not check the logging often enough for unauthorized access.
- Good security involves authentication with at least two factors. The identity of a user to access a patient record is then established, for example, with a code or a password in combination with a staff pass. The OLVG did not use this two-factor authentication in the hospital. Logging in outside the hospital did use two-factor authentication.
'Protection of patient data crucial'
'Especially in healthcare, where the most sensitive personal data is in the systems, we see many data breaches: in recent years, healthcare has always been in the top three sectors with the most data breaches,' Verdier says. 'While the protection of patient data is crucial. Patients share a lot of data with healthcare institutions, and they need to, lately due to the corona crisis perhaps more than ever. People need to be able to trust that their data is safe. We therefore call on hospitals and other healthcare institutions to check very carefully how they have arranged the protection of patient data and to improve it where necessary.' Healthcare institutions can consult the AP's site for information on proper protection of personal data.
Improvements made
During the AP's investigation, the OLVG implemented improvements. The hospital structurally monitors logging from then on and has since arranged two-factor authentication at the hospital.
The hospital is not appealing or objecting to the AP's fine.
