OLVG hospital Amsterdam has been fined €440,000 by the Dutch Data Protection Authority (DPA) – Autoriteit Persoonsgegevens – for failing to prevent unauthorized individuals from accessing patient medical records and insufficient monitoring of unauthorized access.
An investigation was launched into potential violations of the General Data Protection Regulation (GDPR) after the Dutch DPA received several complaints about the hospital.
A hospital engages in large scale processing of sensitive data, which includes health information and national security numbers. Given the sensitive nature of information in medical records, the Dutch DPA concluded that 2-factor authentication should have been implemented to prevent unauthorized access.
OLVG had implemented 2-factor authentication, but only for individuals logging on from outside of OLVG’s network. A username and password were all that was required to login from within the OLVG network. The Dutch DPA also determined that Single sign-on was enabled, which provided immediate access to medical records when a user logged into the network.
OLVG had stated in its privacy policies that it was compliant with the NEN standards NEN 7510, NEN 7512 and NEN 7513, which require 2-factor authentication to implemented to establish the identities of individuals; however, 2-factor authentication had only been partially implemented.
In order to determine whether medical records have been accessed by unauthorized individuals, all log-in attempts and medical record access should be logged, and those logs should be regularly monitored. In the event of unauthorized access, this will allow a breach to be rapidly identified and mitigated. The Dutch DPA determined that logs were created, but OLVG was not checking those logs frequently enough. Between January 1, 2018 and April 17, 2019, only two random checks were performed along with 8 incidental checks of the logging of one electronic medical record.
In response to the investigation, OLVG implemented 2-factor authentication for internal access and created a structured program for monitoring medical record access logs, but this was not sufficient to avoid a financial penalty.
The €440,000 fine was issued for the failure to comply with Article 32(1) of the GDPR between May 25, 2018 and at least May 22, 2019. OLVG is permitted to appeal the financial penalty but has chosen not to do so.