The District Court of The Hague ruled on March 31, 2021, in a case concerning a fine imposed by the Autoriteit Persoonsgegevens (AP) on a hospital in The Hague. The hospital was fined for violating the AVG, as patients' personal data were not adequately protected. The AP had imposed a fine of 460,0000 euros but the court reduced it to 350,000 euros.
On April 4, 2018, the hospital reported a data breach to the AP. The data breach related to unauthorized access to a patient record of a well-known Dutchman. The AP subsequently conducted an investigation, which resulted in a fine and an order under penalty. According to the AP, the hospital should have implemented so-called two-factor authentication and did not regularly monitor the logging of access to patient records.
According to the court, the AP was allowed to impose a fine and an order under penalty. However, the court finds the amount in this case too high and sees reason to moderate the fine to €350,000. This is because the court considers it important that the hospital did take a number of measures to prevent personal data in the digital patient file from being viewed by unauthorized employees. The hospital also introduced two-factor authentication and intensified logging during the objection phase. According to the court, the measures taken by the hospital at least show a willingness to deal with the problems in the organization and nuance the negligence the hospital is accused of.
