In the first half of 2019, the Autoriteit Persoonsgegevens (AP) received 11,906 reports of data breaches. This amounts to about 2,000 reports per month. If this trend continues, the AP expects an increase of 14 percent for all of 2019 compared to 2018. Most data breaches are again reported by the healthcare sector. The AP is therefore giving healthcare institutions tips on how to prevent some common types of data breaches.
Since the mandatory data breach notification came into force, the AP has received most reports from the healthcare sector, in addition to data breach reports from the financial sector and the public administration sector. This has prompted the AP to highlight this sector in the data breach report.
The largest number of data breach notifications within the healthcare sector come from hospitals (23%) and pharmacies (22%). Most reports are made after sending personal data to the wrong recipient. Smaller healthcare organizations such as health and welfare organizations (24%), social services (15%) and dentists (6%) report data breaches due to hacking, malware or phishing more often than larger healthcare organizations.
Monique Verdier, vice president of the AP: "Careful handling of personal data is inseparable from good healthcare. We have recently seen a number of unpleasant examples of data breaches, which can have incredibly unpleasant consequences for the people involved. Hospitals and other healthcare institutions must therefore make privacy protection a priority."
The most frequently reported cause of a data breach is sending personal data to the wrong recipient (63%). More than half of all reports involve data from 1 person (58%). Reported data breaches affecting 5,000 or more individuals are often (47% of cases) caused by hacking, malware and/or phishing.
In over 500 data breach reports, the AP took action with organizations that reported a data breach. In most cases (84%), the organization is contacted by telephone for additional information. In other cases, the AP provides the organization with standards explanations through a letter or urges action through an interview.
From signals and tips from data subjects, among others, the AP notes that not all data breaches that must be reported are actually reported or are reported in time (within 72 hours of discovery). The AP considers this a serious matter. The AP has 17 ongoing investigations of organizations that have (potentially) failed to report a notifiable data breach. Four investigations have been launched as a result of a late reported data breach. These investigations may potentially lead to a sanction. In the second half of 2019, the AP will start more (short-term) investigations into unreported data breaches and late data breaches.
This news item can also be found in the files Data breach and Privacy in healthcare
