cybersecurityHealthcare · 2020

Haga Ziekenhuis

Haga Ziekenhuis (Hague Academic Hospital) failed to implement adequate access controls and audit logging for electronic patient records, violating GDPR Art. 32 and Dutch medical confidentiality obligations. The AP's investigation, triggered by media reports that dozens of hospital staff had unlawfully accessed the records of a high-profile patient without clinical justification, found systemic failures in role-based access controls and alert mechanisms. The hospital was ordered to implement corrective measures within four months under threat of additional periodic penalties.

Fine Imposed€460,000.0

Authority

Autoriteit Persoonsgegevens

Stylebalanced

Avg. investigation18 mo

View authority profile

Regulation

Algemene Verordening Gegevensbescherming (Dutch GDPR Implementation)

Max fine€20M or 4% of global annual turnover (Tier 2); €10M or 2% (Tier 1)

Statusactive

Key Takeaways

Healthcare organisations must implement role-based access controls with active audit logging for patient records — technical enforcement of access policies, not merely written policies, is required under GDPR Art. 32.