AP (The Netherlands) - Boete HagaZiekenhuis
From GDPRhub
| AP - Boete HagaZiekenhuis | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 18.06.2019 |
| Fine: | 460,000 EUR |
| Parties: | Stichting HagaZiekenhuis |
| National Case Number/Name: | Boete HagaZiekenhuis |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Partly Confirmed Rb. Den Haag (Netherlands) ECLI:NL:RBDHA:2021:3090 |
| Original Language(s): | Dutch |
| Original Source: | Dutch DPA (in NL) |
| Initial Contributor: | CBMPN |
The Dutch DPA fined a hospital €460,000 for failing to implement two-factor authentication and regularly review log files, violating Article 32(1) GDPR.
English Summary
Facts
The HagaZiekenhuis hospital, a Dutch healthcare provider, reported a data breach on 4 April 2018 involving unauthorised access to the medical records of a well-known individual. An investigation revealed that 197 employees, including 85 who were unauthorised, had accessed the patient's records. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) found that the hospital had failed to implement two-factor authentication and regularly review log files, as required by Article 32(1) GDPR, since January 2018. These failures left sensitive health data inadequately protected against unauthorised access.
Holding
The Dutch DPA held that the hospital violated Article 32(1) GDPR by failing to implement appropriate technical and organisational measures, specifically two-factor authentication and regular log file reviews, as mandated by the NEN 7510-2 standard for healthcare information security. The AP emphasised that these measures were necessary to ensure an appropriate level of security, particularly given the sensitivity of health data and the scale of processing.
The Dutch DPA also imposed an order subject to a periodic penalty payment (last onder dwangsom), requiring the hospital to implement two-factor authentication and establish regular log file reviews within 15 weeks. Failure to comply would result in a penalty of €100,000 for every two weeks of non-compliance, up to a maximum of €300,000.
Comment
The fine was later reduced by the District Court of the Hague to €350,000.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Registered HagaZiekenhuis Foundation [CONFIDENTIAL] PO Box 40551 2504 LN THE HAGUE Date June 18, 2019 Subject Our reference [CONFIDENTIAL] Contact person [CONFIDENTIAL] Decision to impose an administrative fine and a penalty payment order Dear [CONFIDENTIAL], The Dutch Data Protection Authority (AP) has decided to impose an administrative fine of €460,000 on the HagaZiekenhuis Foundation (HagaZiekenhuis), because the HagaZiekenhuis has not complied and does not comply with the requirement of two-factor authentication and regular assessment of log files in the period from January 2018 to the present. In doing so, it has not taken sufficient appropriate measures as referred to in Article 32, first paragraph, of the General Data Protection Regulation (GDPR). The AP has also decided to impose a penalty payment order on the Haga Hospital, which aims to undo this ongoing violation. The decision is explained in more detail below. Chapter 1 concerns an introduction. Chapter 2 describes the legal framework. In Chapter 3, the AP assesses its authority, the processing responsibility and the violation. In Chapter 4, the (amount of the) administrative fine is elaborated and in Chapter 5, the penalty payment order is presented. Chapter 6 contains the dictum and the legal remedies clause. Dutch Data Protection Authority Postbus93374,2509AJ DenHaag Bezuidenhoutseweg 30, 2594 AV Den Haag T0708888500-F0708888501 autoriteitpersoonsgegevens.nl 1 Date Our reference June 18, 2019 [CONFIDENTIAL] 1. Introduction 1.1 Legal entities involved The Haga Hospital is a foundation that is statutorily established at Els Borst-Eilersplein 275, (2545 AA) in The Hague. The Haga Hospital was established on July 1, 2004 and registered in the register of the Chamber of Commerce under number 27268552. In 2017, the Haga Hospital had (rounded) a total of 28,500 admissions, 158,000 first outpatient clinic visits, 52,000 first aid consultations and 143,000 nursing days.1 StichtingReinierHagaGroep (hereinafter: RHG) is statutorily established at the same address as the Haga Hospital. RHG was established on 12 July 2013 and is registered in the register of the Chamber of Commerce under number 58365710. RHG is formed by Stichting Reinier de Graaf Groep, Stichting LangelandZiekenhuis and the Haga Hospital. 1.2 Procedural history On 4 April 2018, the Haga Hospital reported a data breach to the AP.2 The data breach related to unlawful access to a patient file of a well-known Dutch person. In response to this notification, the AP sent a written request for information to the Haga Hospital by letter dated 23 April 2018. The Haga Hospital complied with this by letter dated 15 May 2018. In response to the information sent by the Haga Hospital, the AP decided, in application of Article 58, paragraph 1, under b, of the GDPR, to conduct further investigations into, insofar as relevant here, access to patient data in the digital patient files at the Haga Hospital. In this context, the AP sent a written request for information to the Haga Hospital by letter dated 12 October 2018. The Haga Hospital complied with this request. On 31 October 2018, an announced on-site investigation (hereinafter: OTP) took place at the Haga Hospital. By letter dated 19 November 2018, the AP sent the factual representation of the relevant statements made by the employees of the HagaZiekenhuis during the OTP to the HagaZiekenhuis with the opportunity to make the factual (in)correctness of the statements known. By letter dated 29 November 2018, the HagaZiekenhuis made its comments on the aforementioned reports known. 1 In this context, the AP refers to the figures from the Annual Report submitted by the HagaZiekenhuis during the consultation hearing. 2 Report number [CONFIDENTIAL]. 2/25 Date Our reference 18 June 2019 [CONFIDENTIAL] The report of the discussions that took place during the OTP was established by the AP on 19 December 2018 - taking into account the response of the HagaZiekenhuis to the factual representation of the statements. The results of the further investigation have been recorded in the report “Access to digital patient files by employees of the Haga Hospital, Preliminary Findings” of January 2019 (hereinafter: Preliminary Findings report). To this end, the AP was given the opportunity by letter of 16 January 2019, and the Haga Hospital provided its response to the Preliminary Findings report by letter of 4 February 2019. Taking this response into account, the AP adopted the final report. This report was sent to the Haga Hospital by letter of 26 March 2019. By letter of 4 April 2019, the AP sent the Haga Hospital a notice of intention to impose an administrative fine and/or a penalty order for violation of Article 32 of the GDPR. In addition, the AP gave the opportunity to do so by letter of 4 April 2019, and by letter of 18 April 2019, the Haga Hospital provided its written views on this intention and the final report on which it is based. On 25 April 2019, a hearing on the views was held at the AP's office, during which the Haga Hospital also explained its views orally. By email of 30 April 2019, the Haga Hospital sent two documents upon request. By letter of 16 May 2019, the AP sent the report of the hearing on the views to the Haga Hospital. The Haga Hospital stated that it had no comments on the report. 1.3 Reason for investigation On 4 April 2018, the Haga Hospital reported a data breach to the AP. The data breach related to unlawful access to a patient file of a well-known Dutch person. In the report, Haga Hospital announced that it would take security measures pending the internal investigation into unlawful access to this patient file. The results of this internal investigation are included in the report “Final report Investigation into unlawful access to patient files” from May 2018. This report states that the Haga Hospital structurally checks on a random basis whether authorized employees consult patient files within the applicable framework. If there is any doubt, an investigation follows. An investigation was also conducted into the 3/25 Date Our reference 18 June 2019 [CONFIDENTIAL] (possible) unlawful access to the patient file that the data breach concerns, according to the report. 3 The report states that during the period under investigation, 197 employees, 100 of whom were unlawful, 4 had access to the patient file. The Haga Hospital concludes that the solution must lead to a structural improvement, for which the existing and future measures mentioned therein must be regularly tested for correct operation and, if necessary, must be adjusted.5 Following the aforementioned report, the AP decided in October 2018 to conduct further research into the security measures of the Haga Hospital. 2. Legal framework 2.1 Scope of the GDPR Pursuant to the first paragraph of Article 2 of the GDPR, this Regulation applies to the processing of personal data wholly or partly by automated means, as well as to the processing of personal data contained in a file or intended to be contained in a file. Pursuant to the first paragraph of Article 3, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Pursuant to Article 4, for the purposes of this Regulation, the following definitions shall apply: 1. “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); [...]. 2. “Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means[...]. 7. “Controller”: a[...] legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;[...]. 15. “Health data”: personal data relating to the physical or mental health of a natural person, including data about the provision of health services which reveal information about his or her health status. 2.2 Security obligation 2.2.1 GDPR According to the first paragraph of Article 32 of the GDPR, the controller shall[...], taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing and the varying likelihood and severity of the risks to the rights and 3 Page 3 of the report. 4 In the response of 4 February 2019, the HagaZiekenhuis states that this should be 85. 5 Page 7 of the report. 4/25 Date Our reference 18 June 2019 [CONFIDENTIAL] freedoms of persons, appropriate technical and organisational measures to ensure a level of security appropriate to the risk[...]. In accordance with the second paragraph, when assessing the appropriate level of security, particular account is taken of the processing risks, especially as a result of the destruction, loss, alteration or unauthorised disclosure of or unauthorised access to forwarded, stored or otherwise processed data, whether accidental or unlawful. 2.2.2 Supplementaryprovisionsforprocessingpersonaldatainhealthcare AccordingtoArticle1,introductionandsubparagraph,oftheSupplementaryprovisionsforprocessingpersonaldatainhealthcareAct,thisActandtheprovisionsbasedonitwillbeunderstoodby: “Healthcareinformationsystem”:anelectronicsystemofahealthcareproviderforprocessingpersonaldatainafile,otherthananelectronicexchangesystem. AccordingtoArticle15j,firstparagraph,regulationsmaybeestablishedbygeneraladministrativeorderonthefunctional,technicalandorganisationalmeasuresforthemanagement,securityanduseofahealthcareinformationsystemoranelectronicexchangesystem. 2.2.3 Decreeonelectronicdataprocessingbyhealthcareproviders TheDecreeonelectronicdataprocessingbyhealthcareprovidersisageneraladministrativeorderasreferredtoinArticle15j,firstparagraph,oftheSupplementaryprovisionsforprocessingpersonaldatainhealthcareAct. In accordance with article 1, the following definitions apply in the Decree on electronic data processing by healthcare providers: “NEN7510”: standard for the organisational and technical design of information security in healthcare; “NEN7513”: further elaboration of NEN7510 concerning the recording of actions on electronic patient files. “Healthcare information system”: electronic system of a healthcare provider for the processing of personal data in a file as referred to in the Act on supplementary provisions for the processing of personal data in healthcare, not being an electronic exchange system. In accordance with Article 3, paragraph 2, a healthcare provider must ensure safe and careful use of the healthcare information system in accordance with the provisions of NEN 7510[...]. In accordance with article 5, first paragraph, the healthcare provider, as responsible for a healthcare information system,[...]ensures that the logging of the system complies with the provisions of NEN 7513. 2.2.4 NEN7510 and NEN7513 NEN7510 of December 2017 refers to Medical informatics and Information security in healthcare and consists of two parts: part 1 (7510-1) contains normative requirements for the management system and part 2 (7510-2) contains the management measures. NEN7513 refers, among other things, to logging. NEN7510 and 7513 focus on 5/25 Date Our reference 18 June 2019 [CONFIDENTIAL] that information in healthcare is often confidential in nature. As a healthcare organisation, measures must therefore be taken to keep patient data safe. Two-factor authentication InChapter9(Accesssecurity),paragraph9.4(Accesssecurityofsystemandapplication),under9.4.1(Restrictedaccesstoinformation)ofNEN7510-2itstatesthathealthinformationsystemsthatprocesspersonalhealthinformationmustestablishtheidentityofusers.Thismustbedonebymeansofauthenticationinvolvingatleasttwofactors. (Controlof)logging InChapter5(Informationrequirements),paragraph5.1(General)ofNEN7513itstatesthatloggingshouldgenerallyenabletheirafterwardstoirrefutablydeterminewhicheventshavetakenplaceinapatientfile.Tothisend,allsystemsthatcontaindatathatarepartofapatientfilemustatleastkeeprecordofthem: -whicheventhastaken; -dateandtimeoftheevent; -whichclientitconcerned; - who the user was; -whotheresponsibleuserwasonwhotheuseracted. Inchapter12(Businesssecurity),paragraph12.4(Reportingandmonitoring),under12.4.1(Eventregistration)ofNEN7510-2,itstatesthateventlogfilesthatregisteruseractivities,exceptionsandinformationsecurityevents,mustbecreated,keptandregularlyassessed. 2.3 Administrativefineandordersubjecttopenalty AccordingtoArticle58,paragraph2,introductionandsubparagraphi,inconjunctionwithArticle83,paragraph4,introductionandsubparagrapha,oftheGDPRandArticle14,paragraph3,oftheUAV,theAPisamongotherthingsauthorizedtoimposeanadministrativefineandanordersubjecttopenaltyinregardtoviolationsoftheGDPR. 2.3.1 GDPR PursuanttothesecondparagraphofArticle58oftheGDPR,eachsupervisoryauthorityisentitledtotakethefollowingcorrectivemeasures: d.orderthecontrollertobringprocessingsintocompliancewiththeprovisionsofthisRegulation,whereappropriate,inaspecificmannerandwithinaspecificperiod;i.dependingonthecircumstancesofeachcase,inadditiontoorinsteadofthemeasuresreferredtointhisparagraph,imposeanadministrativefineunderArticle83,dependingonthecircumstancesofeachcase. 6/25 DateOurreference 18June2019[CONFIDENTIAL] PursuanttothefirstparagraphofArticle83,eachsupervisoryauthorityshallensurethattheadministrativefinesimposedunderthisArticleforinfringementsofthisRegulationmentionedinparagraphs4,5and6areineachcaseeffective,proportionateanddissuasive. In accordance with the second paragraph, administrative fines are imposed, depending on the circumstances of the specific case, in addition to or instead of the measures referred to in Article 58, paragraph 2, under a and with and under j. It follows from the fourth paragraph, opening words and under a, that an infringement of the controller's obligation under Article 32 in accordance with paragraph 2 is subject to an administrative fine of up to € 10,000,000 or, for an undertaking, up to 2% of the total worldwide annual turnover in the preceding financial year, if this figure is higher. 2.3.2 Implementing Act General Data Protection Regulation (GDPR) In accordance with Article 14, paragraph 3, of the GDPR, the AP may impose an administrative fine of up to the amounts mentioned in these paragraphs in the event of an infringement of the provisions of Article 83, paragraph 4[...], of the Regulation. 3. Assessment In paragraph 3.1, the authority of the AP is first assessed. Subsequently, paragraph 3.2 explains who can be considered a controller for which processing. The violation of Article 32, first paragraph, of the GDPR, read in conjunction with Article 3, second paragraph, of the Decree on electronic data processing by healthcare providers and the provisions under 9.4.1 and under 12.4.1 of NEN 7510-2, is established in paragraph 3.3. 3.1 AuthorityAP TheHaga HospitalhasahospitalinformationsystemasreferredtoinArticle1oftheAdditionalProvisionsforProcessingPersonalDatainHealthcareActandArticle1oftheDecreeonElectronicDataProcessingbyHealthcareProviders.Inthissystem,alsocalledtheElectronicPatientRecord(EPD)orHiX,theHaga Hospitalrecordsdatarelatingtopatients.Therefore,thisisaprocessingofpersonaldata,includingpersonaldataabouthealth,asreferredtoinArticle4oftheGDPR. At the time of the aforementioned data leak and notification by the Haga Hospital to the AP on 4 April 2018, the Personal Data Protection Act (Wbp) was in force. The Wbp was repealed on 25 May 2018. 6 On that day, the GDPR became applicable7 and the UAVG entered into force. 8 Following the aforementioned data leak and the report “Final report on the investigation into unlawful access to patient files” drawn up for that purpose by the Haga Hospital in May 2018, the AP issued in October 6 Article 51 of the UAVG. 7 Article 99, paragraph 2, of the AVG. 8 Royal Decree of 16 May 2018 (Staatsblad 2018, 145). 7/25 Date Our reference June 18, 2019 [CONFIDENTIAL] 2018 - well after the date on which the GDPR came into effect - a further investigation was launched into the security measures taken by the Haga Hospital at that time to ensure that personal data in the digital patient file are not viewed by unauthorized employees. The investigation focused, among other things, on the question of whether the security measures taken by the Haga Hospital in The Hague with regard to access to the hospital information system comply with the currently applicable Article 32 of the GDPR. With regard to the violation established in the final report, the AP is authorised, pursuant to Article 58, paragraph 2, opening words and under (i), in conjunction with Article 83, paragraph 4, opening words and under (a), of the GDPR and Article 14, paragraph 3, of the UAVG, to impose an administrative fine and a penalty payment order, if the circumstances give reason to do so. 3.2 Controller The Haga Hospital has been part of RHG since 12 July 2013. RHG is a partnership between the Haga Hospital, Reinier de Graaf Group (both as of 12 July 2013) and the Langeland Hospital (as of 9 June 2015). In the context of the question of whether Article 32, first paragraph, of the GDPR is complied with, it is important to determine who is or are to be regarded as (joint) controller(s) as referred to in Article 4, under 7, of the GDPR. In this respect, it is decisive who determines the purpose of and means for the processing of personal data - in this case the processing of patient data in the hospital information system of the Haga Hospital. In order to answer this question, the AP attaches value to the provisions in the report "Information security policy Reinier Haga Group" of 25 December 2015 (Information Security Policy), the report Authorization Digital Patient Records of May 2018 (Authorization Policy), the Privacy Statement of the Haga Hospital 9 and the statement of [CONFIDENTIAL] as included in the Report of conversations OTP Haga Hospital. 3.2.1 Information security policy As also confirmed by the Haga Hospital during the consultation hearing, the general part of the Information Security Policy established by RHG applies to all data processing at all RHG locations, including the Haga Hospital.10 The standards NEN7510 and NEN7513 are used as a starting point for the application of information security within RHG.11 These standards are not further elaborated in the general part of the Information Security Policy. The Board of Directors of RHG is administratively responsible for the implementation of the policy and measures in the field of information security.12 The local implementation of the general part - which may differ per organization within RHG - is included in the appendices to the Information Security Policy. Appendix 2 shows the local implementation by the Haga Hospital. The Haga Hospital has its own Information Security Officer (ISO), who monitors the daily 9 https://www.hagaziekenhuis.nl/over-hagaziekenhuis/goed-om-te-weten/patiëntenrechten/privacyverklaring.aspx. 10 Pag.4Information security policy.In addition to this, the Haga Hospital has confirmed upon request that the general part of this policy also applies to the Stichting Langeland Hospital foundation. 11 Pag. 9 Information security policy. 12 Pag. 6 Information security policy. 8/25 Date Our reference June 18, 2019 [CONFIDENTIAL] point of contact for all information security matters within hospitals and local coordination of information security activities.13All parts of RHG must have taken adequate measures to ensure the continuity of operational activities. Managing, among other things, an emergency button procedure, is part of this.14The NEN 7510 and NEN 7513 standards are not further elaborated in Appendix 2 (Local implementation Haga Hospital). 3.2.2 Authorization Policy The Authorization Policy was drawn up by the Haga Hospital and contains policy for the facilities and systems in connection with authorization for access to the EPD within the Haga Hospital, as well as the control thereof.15 This policy states that in hospitals the intended means for the processing of personal data are determined by the management of the Haga Hospital.16 The management takes appropriate technical and organizational measures to protect personal data against loss or any form of unlawful processing.17 3.2.3 Privacy Statement The Privacy Statement of the Haga Hospital states that it applies to the processing of personal data by the Haga Hospital. The Haga Hospital explained at the hearing that the Privacy Regulations of the RHG of 15 June 2017 serve as the basis for the Privacy Statement. The AP notes that that the Privacy Regulations only contain provisions in broad outline that relate to the processing of personal data. The Privacy Statement contains a further elaboration of the Privacy Regulations, on the basis of which data processing by the Haga Hospital can be processed for, among other things, the following purposes included therein: - providing, calculating costs and declaring care; - conducting scientific research; - training and educating healthcare personnel; - administration and internal management activities; - quality monitoring and promotion of healthcare provision. Furthermore, the Privacy Statement states that the Haga Hospital also collaborates with other healthcare institutions. The Haga Hospital requests the patient's consent before exchanging the relevant data, unless the interests of the patient or a third party are at risk. 3.2.4 DeclarationHagaZiekenhuis OnOctober31,2018[CONFIDENTIAL]oftheHagaZiekenhuisdeclaredduringtheOTPthatRHGis anadministrativemergerandnotalegalmerger.Asthehospitalsaresystemtechnicallyseparated,theelaborationoftheAuthorizationPolicyisdifferentperhospitalandthegeneralInformationSecurityPolicyiscompletedlocallyperhospital.Eachhospitalalsohasitsown 13 Page 6 of the InformationSecurityPolicy. 14 Page 11 of the InformationSecurityPolicy. 15 Page 3 AuthorizationPolicy. 16 Page 2 AuthorizationPolicy. 17 Page 3 AuthorizationPolicy. 9/25 Date Our reference June 18, 2019 [CONFIDENTIAL] Authorization Committee.18 3.2.5 AP Assessment The AP is of the opinion that the Haga Hospital determines the purposes and means of data processing in the hospital information system of the Haga Hospital - which is separate from the hospital information systems of the other hospitals of RHG. For example, it independently determines the local implementation of the general Information Security Policy and has its own Authorization Policy, on the basis of which it determines who may have authorized access to which patient data. The Haga Hospital also has its own Privacy Statement, in which it determines the purposes of data processing by the Haga Hospital. In the question of whether the Haga Hospital alone or together with RHG takes decisions regarding the determination of the goals and means of data processing in the hospital information system of the Haga Hospital, it is important that RHG has exclusively established a general Information Security Policy and a general Privacy Regulation. This established general policy does not specify in detail how hospitals within RHG set up the hospital information system. The Information Security Policy exclusively ensures that the NEN 7510 and NEN 7513 standards must be observed. This also follows from Article 32, first paragraph, of the GDPR, read in conjunction with Article 3, second paragraph, and Article 5, second paragraph, of the Decree on electronic data processing by healthcare providers. The Privacy Regulation furthermore exclusively contains a repetition of the standards from the the then applicable Wbp, without specifically filling in these standards. Furthermore, the partnership falls outside the scope of the Authorisation Policy - which concerns the authorisation for access to the EPD of the Haga Hospital - and the Privacy Statement of the Haga Hospital, which includes, among other things, the purposes of the data processing for the Haga Hospital. Also in view of the statement of [CONFIDENTIAL] of the Haga Hospital, the AP is of the opinion, taking into account the foregoing, that the Haga Hospital has the formal-legal authority to independently determine the purposes and means of data processing in the hospital information system of the Haga Hospital. 3.2.6 Conclusion Now that the AP considers that the Haga Hospital is drawing up views on the hospital information system autonomously, the Haga Hospital - and not also the RHG - is considered to be the controller as referred to in Article 4, opening paragraph and under 7, of the GDPR with regard to data processing in that hospital information system. 3.3 Violation of data security 3.3.1 Introduction To ensure security and prevent the processing of personal data from being infringing 18 Page 2 of the Report of discussions OTP Haga Hospital. 10/25 Date Our reference June 18, 2019 [CONFIDENTIAL] under the GDPR, the controller must, pursuant to Article 32 of the GDPR, assess the risks inherent in the processing and take measures to limit the risks. These measures must ensure an appropriate level of security, taking into account the state of the art, the implementation costs, the risks and the nature of the personal data to be protected.19 Due to their sensitivity, health data belong to a special category of personal data. For this reason, very high requirements apply to the protection of these data. Appropriate security measures contribute to maintaining the trust of patients in the hospital in question when handling personal data. In order to determine whether security measures are appropriate, generally accepted security standards within the practice of information security in healthcare, NEN 7510 and NEN 7513, must be adhered to in the present case. These security standards stipulate that, with regard to authentication when accessing hospital information systems that are specifically aimed at processing sensitive information, the responsible party must at least use two-factor authentication in order to establish the identity of users. Furthermore, log files of events that record user activities, exceptions and information security events must be created, stored and regularly assessed. The above follows from NEN 7510-2, which includes security standards that provide further elaboration of Article 32 of the GDPR with regard to information security in healthcare, to which the Authorisation Policy of the Haga Hospital also refers. 3.3.2 Two-factor authentication NEN7510-2, paragraph 9.4.1, states that health information systems that process personal health information should establish the identity of users. This should be done by means of authentication involving at least two factors. This means that the identity of the user to gain access to the health information system is established, for example, on the basis of knowledge (code or password) and possession (staff card). Regulation Staff Pass and User Manual Virtual Workplace The Regulation Staff Pass of the Haga Hospital20 states that all employees of the Haga Hospital have a staff pass, which can be used to log in to the computers. The authorities of this identity pass depend on the employee's function and workplace. This pass can be used to prevent other users from viewing confidential documents. Logging in is also possible without a pass, but using a user name and password. The pass is only a facilitation measure, according to the Regulation. The User Manual Virtual Workplace21 confirms that workstations with a pass reader are suitable for virtual working. Employees can log in manually, but after registration also with the 19 Recital 83 of the GDPR. 20 Revision date 13 June 2017. 21 From 14 August 2018. 11/25 Date Our reference 18 June 2019 [CONFIDENTIAL] staff pass registration.22 Haga Hospital Statement During the OTP on 31 October 2018, the Haga Hospital confirmed that there are two ways to log in to the computers and the hospital information system. One of the options is to use the staff pass, which is held in front of the pass reader, after which you can log in to the Virtual Desktop Infrastructure (VDI) with a user name, password and a 4-digit fixed PIN code. A personal HiX account is attached to this personal network account. This means that once an employee has logged in to the VDI, this employee also has access to the hospital information system. After that, the user can log in and out of any workstation with the card for four hours - the so-called 'grace period' - without entering a user name, password and/or PIN code. The other option is without using the staff card, whereby the VDI can be logged in manually with a user name and password. Once logged in, the employee also has access to the hospital information system - just like when logging in with the card. 23 Opinion TheHaga Hospital's opinion states that in the current situation, access to the hospital information system can be obtained via both two-factor and one-factor authentication. During the consultation hearing, it was explained that the Haga Hospital started with virtual workplaces in 2012, as well as the option to log in manually. It has set a goal to have implemented permanent two-factor authentication hospital-wide by 1 October 2019, whereby the option to log in via one-factor authentication will disappear. Furthermore, the Haga Hospital will abolish the so-called 'grace period', so that a PIN code will always be requested when accessing via two-factor authentication. AP assessment Now that the strength of the user authentication must be appropriate for the classification of the information to which access is granted, and (particularly) health data is processed in the hospital information system, two-factor authentication is required. The AP establishes - and is also not in dispute - that authentication in the Haga Hospital to the hospital information system has taken place since January 2018 at least and still takes place using the unique staff pass. In the other situation, logging in without a staff pass, authentication takes place on the basis of a user name and password, after which the hospital information system can be consulted. The identity of the user to gain access to this system can thus take place in this case solely on the basis of knowledge (code or a password), without possession (staff pass). Therefore, a single method of stocking the hospital information system by the users cannot be excluded and a necessary second factor that contributes to an appropriate level of security is missing. This does not meet the requirement of two-factor authentication 22 Pag. 2 User Manual Virtual Workplace. 23 Pag. 7 Statement of conversations OTP HagaZiekenhuis and also confirmed at the hearing. 12/25 Date Our reference 18 June 2019 [CONFIDENTIAL] pursuant to article 32 of the GDPR, read in conjunction with article 3, paragraph 2, Decree on electronic data processing by healthcare providers and the provisions under 9.4.1 of NEN 7510-2. 3.3.3 Regularly assessing log files Healthcare institutions must structurally keep track of who has consulted which patient file and when (logging) and this must be checked regularly. In this way, the institution can report unauthorized access and take measures. This is based on paragraph 12.4.1 of NEN 7510-2, which states that log files of events that register user activities, exceptions and information security events, must be created, kept and regularly assessed. Referring to the report “Access to digital patient records within healthcare institutions” of June 2013, the AP24's starting point is that checking logging must be systematic and consistent, whereby random checks and/or checks based on complaints are not sufficient. It is important to note that random random checks do not involve a system focused on unlawful use and risks. Authorisation policy The Authorisation policy of the Haga Hospital states that security and logging must take place in accordance with the principles as stated in NEN 7510 and NEN 7513. The Authorisation policy includes the principle that the log files are periodically checked for indications of unlawful access or unlawful use of personal data and that action is taken by the responsible party where necessary. The Authorisation policy distinguishes between the check of (1) regular patient files, (2) patient files that belong to specialisms and (3) patient files to which access has been obtained via the so-called emergency button procedure, also referred to as the ‘breaking the glass’ procedure, described in more detail below.25 Based on the Authorisation policy for (1) regular patient files, the FG must carry out an audit on access to the system once every two months in accordance with the established authorisation procedure. The Haga Hospital explained at the consultation meeting that this should include a check of one patient file every two months. The Haga Hospital further explained that (2) if a selected file pertains to treatment in the specialisms of psychiatry, psychology, VIP, own staff and in relation to venereal diseases, the logging of that file must be checked completely. This means that the logging of this file is checked for a longer period. Employees of the Haga Hospital can also use (3) an emergency button procedure, with which they gain access to data of a patient for which this employee is not authorised. When searching for such patient data and when actually wanting to view this data, the procedure displays a message on the screen, in which employees are informed that they are not authorised to access this specific patient data. Employees are 24 Including the operation of the Wbp, but the scope of article 32 of the GDPR has not been changed in relation to article 13 of the Wbp that was applicable at the time. 25 Page 3 of the Authorisation Policy. 13/25 Date Our reference 18 June 2019 [CONFIDENTIAL] asked to provide a reason why access is still necessary. With the help of this procedure, employees can still gain broader access to patient data. The Authorisation Policy states that a failed access attempt as well as achieved access to a digital patient file, which is achieved via the emergency button procedure, must be regularly checked for legality via the logging. Statement Haga Hospital [CONFIDENTIAL]declared during the OTP that every action is logged in the EPD. The checks on the logging are carried out by the ISO and the FG. The first inspection in 2018 concerned the patient file of the well-known Dutch citizen, given the large number of views on this specific file. 26 At the request of patients and employees, Haga Hospital carried out further inspections in 2018, which revealed no irregularities. [CONFIDENTIAL] further stated that Haga Hospital intends to carry out six random samples per year in 2019 as part of the inspection of logging in accordance with the Authorisation Policy, during which six different patients from different departments will be checked. Due to the pressure caused by the aforementioned data leak and the follow-up actions, Haga Hospital had not (yet) got around to this at the time of the declaration of 31 October 2018. Opinion TheHaga Hospitalaimstocomplywithparagraph12.4.1ofNEN7510-2by1October2019atthelatestintheformofconductingchecksonlogginginthefollowingthreeways:(1)basedonsamplescoveringsixpatientfilesperyear,(2)basedoncomplaintsandrequestsfrompatients(3)bymeansofasystematicanalysisoftheuseoftheemergencybuttonprocedure. Thesample(1)islimitedtosixfilesperyearbecauseconductingsuchacheckisaverylabour-intensiveprocess,accordingtotheHaga Hospital.Aftergeneratingthelogging,itmustbemanuallydeterminedperloggingrulewhetherthepersonlogginginispartofthetreatmentteamofthepatientinquestioned. At the consultation hearing, the Haga Hospital, upon request, made a rough estimate of the scope of the audit process, which consists of five steps. The first three steps can be carried out by one employee and concern the generation of the logging, the supplementing and checking and the determination of the treatment team. In the last two steps, further research takes place, carried out by several employees. The execution of the first three steps takes a total - and on average - of approximately eight hours, which covers approximately one third to one half of a complete audit trajectory, according to the Haga Hospital. With regard to the audit of logging, it also makes it known that (2) patients can also request access to the logging and that the Haga Hospital also carries out audit logging in those cases. The systematic analysis (3) includes a weekly audit of the logging of all patient files that have been consulted via the emergency button procedure. The schedule drawn up by it aimed at 1 October 2019 assumes a manual audit. The possibilities of using [CONFIDENTIAL] - as a technical aid in carrying out the audit of the logging - are still being investigated by the Haga Hospital. At the hearing, the Haga Hospital confirmed that in the period from January 2018 to 26 See also the response from the Haga Hospital of 4 February 2019. 14/25 Date Our reference 18 June 2019 [CONFIDENTIAL] October 2018, it proactively carried out one logging check on the file of the well-known Dutch citizen and six logging checks on six files at the request of patients and employees. After October 2018, various checks were carried out at the request of patients and/or employees. In January 2019, the Haga Hospital started the first sample of the intended six samples per year. The second investigation is planned for April/May 2019, according to the Haga Hospital. AP assessment TheAPestablishesthatin2018theHagaZiekenhuiscarriedouttheinspection-withtheexceptionofoneproactiverandomsample-onlyinresponsetoafewcomplaintsandrequests.Theproactiveinspectioncarriedoutin2019(relatingtoamaximumoftwopatientfiles)doesnotalsoincludeaseparateinspectionoftheloggingofpatientfilesthatwereconsultedviatheemergencybuttonprocedure.Inanycase,theHagaZiekenhuishasnotactedinaccordancewithitsownAuthorisationPolicyduringtheaforementionedperiod(January2018todate).Apartfromthat,carryingoutonlyoneorafewproactiverandomsamplesperyearismorethanevidentlyinsufficienttobeabletospeakofanappropriatelevelofsecuritythatconcernsreportingunauthorisedaccesstopatientdataandtakingmeasuresinresponsetounauthorisedaccess.Inthisregard,the APrelevantscaleoftheprocessingofhealthdatabythehospital27andthelackofregularcheckingontheuseoftheemergencybuttonprocedure,asaresultofwhichemployeesmaygainaccesstomoredatathantheyareinitiallyauthorisedtouse.Inviewofthis,therearenoappropriatemeasuresregardingthecheckingofloggingasrequiredbyArticle32,firstparagraph,oftheGDPR,readinconjunctionwithArticle3,secondparagraph,oftheDecreeonelectronicdataprocessingbyhealthcareprovidersandtheprovisionsunder12.4.1ofNEN 7510-2. In addition, the AP also answers the question of whether the Authorisation Policy provides for a systematic, consistent check of the logging data within the framework of the coercive order to be imposed. The AP, based in part on the explanation provided by the Haga Hospital, establishes that the Authorisation Policy provides for a check on the logging of six (regular or otherwise) patient files and a regular check of patient files to which access has been obtained using the emergency button procedure. What should be understood by regular check of the latter files is not further elaborated in the Authorisation Policy. The Haga Hospital's opinion of 18 April 2019 states that it aims to examine all patient files that have been consulted via the emergency button procedure on a weekly basis by 1 October 2019 at the latest. The Haga Hospital is concerned with the implementation of the proposed measures, in addition to the reactive check in response to a complaint or a request, on the position that the log files are checked regularly as intended in the NEN 7510-2. In the opinion of the AP, such a weekly check undoubtedly meets the requirement of a systematic, consistent check of the logging data. However, this does not affect the fact that the Haga Hospital also considers the risk of abuse within the authorization profile with regard to 27 In this context, the AP refers to the figures from the Annual Report submitted by the Haga Hospital at the consultation hearing. In 2017, the Haga Hospital had (rounded) 28,500 admissions, 158,000 first outpatient clinic visits, 52,000 emergency room consultations and 143,000 nursing days. 15/25 Date Our reference June 18, 2019 [CONFIDENTIAL] of the other - not consulted via the emergency button procedure - files to a sufficient extent. Log files can be used to find out who had access to which health data. With a volume of - in 2017 - (rounded) 28,500 admissions, 158,000 first outpatient clinic visits, 52,000 emergency room consultations and 143,000 nursing days, an annual check of six patient files does not provide sufficient effort to sufficiently detect cases of unlawful processing that take place within the authorization. In the opinion of the AP, this does not lead to the required appropriate level of security in cases where the file has been consulted within the authorization. The current state of the art is decisive for what can be considered appropriate measures within the meaning of Article 32, first paragraph, of the GDPR. The Haga Hospital has not made it plausible that - possibly in addition to [CONFIDENTIAL] - no other technical support options are available. The steps taken by the Haga Hospital to achieve an update in that context are therefore appropriate. To the extent that the Haga Hospital has no or limited technical support to carry out or support the check of logging, as it has stated in its opinion, it must organise the check of logging. To this end, the Haga Hospital has proposed to manually check the logging of all files that have been consulted via the emergency button procedure. In view of this, it is not apparent that a manual check of the logging of more than six files - not consulted via the emergency button procedure - per year, cannot be required of her. The fact that the Haga Hospital, as she explained at the hearing, also takes preventive measures with a view to preventing unlawful access to patient data, which include raising awareness among employees about the careful handling of patient data, does not negate the obligation to take the aforementioned appropriate technical and organizational measures within the meaning of Article 32, first paragraph, of the GDPR. Given that the Authorisation Policy includes a check of one sample of one file every two months, the AP believes that this policy does not provide for a systematic, consistent check of the logging. 3.3.4 Conclusion In view of the above, the AP is of the opinion that the Haga Hospital has violated Article 32, first paragraph, of the GDPR, read in conjunction with Article 3, second paragraph, of the Decree on electronic data processing by healthcare providers and the provisions under 9.4.1 and under 12.4.1 of NEN 7510-2, as the requirement of two-factor authentication and regular assessment of log files has not been met in the period from January 2018 to date. The violation is currently ongoing. 4. Fine 4.1 Introduction ThesecuritymeasurestakenbytheHagaHospitaldonotconcernthe(correct)implementationoftheuseoftwo-factorauthenticationandtheregularcheckingofthelogfiles.The 16/25 Date Ourreference June18, 2019 [CONFIDENTIAL] HagaHospitalmaybeexpectedtoconfidentlyobservethestandardsthatapplytoit. The failure to apply two-factor authentication in the case of access to patient data - for which paragraph 9.4.1 of NEN 7510-2 leaves no room - and the exclusive proactive checking in practice of the logging of one or a few patient files for a period of more than one year, is, in the opinion of the AP - and contrary to what the Haga Hospital argues - clearly and structurally in conflict with the first paragraph of Article 32 of the GDPR, read in conjunction with the provisions under 9.4.1 and under 12.4.1 of NEN 7510-2. The fact that the Haga Hospital argued at the hearing that the standard in 12.4.1 of NEN 7510-2 contains an open standard does not alter this - whatever the case may be - now that the Haga Hospital has also deviated from its own Authorisation Policy in practice. While the Authorisation Policy, according to it and with the explanation it provides here, in its opinion complies with the standard 12.4.1 of NEN 7510-2. In the present case, the AP sees reason to use its authority to impose a fine on Haga Hospital on the basis of Article 58, paragraph 2, opening words and Article 83, paragraph 4, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG. 4.2 Fine policy rules Dutch Data Protection Authority 2019 (Fine policy rules 2019) Pursuant to Article 58, paragraph 2, opening sentence and Article 83, paragraph 4, of the GDPR, read in conjunction with Article 14, paragraph 3, of the UAVG, the AP is authorised to impose an administrative fine on the Haga Hospital in the event of a violation of Article 32, paragraph 1, of the GDPR of up to €10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher. The AP has established Fine Policy Rules 2019 regarding the implementation of the aforementioned authority to impose an administrative fine, including determining the amount thereof.28 Pursuant to Article 2, under 2.1, of the Fine Policy Rules 2019, the provisions regarding violations of which the AP may impose an administrative fine of a maximum amount of €10,000,000 or, for a company, up to 2% of the total worldwide annual turnover in the previous financial year, if this figure is higher, are classified in Annex 1 in category I, category II or category III. In Annex I, Article 32 of the GDPR is classified in category II. In accordance with Article 2, under 2.3, the AP sets the basic fine for violations for which a statutory maximum fine of € 10,000,000 applies or, for an undertaking, up to 2% of the total worldwide annual turnover in the preceding financial year, if this figure is higher, [...] within the following fine range: Category II: Fine range between € 120,000 and € 500,000 and a basic fine of € 310,000. [...]. In accordance with Article 6, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to the maximum of the range of the fine category linked to a violation) or downwards (to the lowest of the minimum of that range). The basic fine is 28 Stcrt. 2019, 14586, 14 March 2019. 17/25 Date Our reference 18 June 2019 [CONFIDENTIAL] increasedordecreaseddependingontheextenttowhichthefactorsmentionedinArticle7givereasontodoso. PursuanttoArticle7,theAP,withoutprejudicetoArticles3:4and5:46oftheGeneralAdministrativeLaw(Awb),takesintoaccountthefactorsderivedfromArticle83,secondparagraph,oftheGDPR,inthePolicyRulesmentionedunderatok: a.thenature,severityanddurationoftheinfringement,takingintoaccountthenature,extentorpurposeoftheprocessinginquestionaswellasthenumberofaffecteddata subjectsandtheextentofthedamagessufferedbythem; b.theintentionalornegligentnatureoftheinfringement; c.themeasurestakenbythecontroller[...]tomitigatethedamagesufferedtodatadatasubject; d.theextenttowhichthecontroller[...]isresponsibleinthe lightofthetechnicalandorganisationalmeasuresimplementedinaccordancewithArticles25and32oftheGDPR; e.anypreviousrelevantbreachesbythecontroller[...]; f.theextentofcooperationwiththesupervisoryauthoritytoremedythebreachandmitigateitspotentialadverseeffects; g.thecategoriesofpersonaldatatowhichthebreachappears; h.themannerinwhichthesupervisoryauthoritybecameawareofthebreach,inparticularwhetherandifsotowhatextentthecontroller[...]notifiedit; i.compliancewiththemeasuresreferredtointhesecondparagraphofArticle58oftheGDPR,inasmuchastheyhavebeentakenpreviouslyinrelationtothecontroller[...]inrespectofthecontrollerinquestioninvolvedinrelatingtothesamematter; j. adherence to approved codes of conduct pursuant to Article 40 of the GDPR or to approved certification mechanisms pursuant to Article 42 of the GDPR; and k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether or not directly resulting from the infringement. Pursuant to Article 9, the AP, when determining the fine, takes into account the financial circumstances of the offender. In the event of reduced or insufficient financial capacity of the offender, the AP may reduce the fine to be imposed further if, after application of Article 8.1 of the policy rules, determining a fine within the fine range of the next lower category would, in its opinion, nevertheless result in a disproportionately high fine. 4.3 Systematics With regard to violations for which the AP can impose an administrative fine of up to €10,000,000 or up to 2% of the total worldwide annual turnover in the previous financial year, whichever is higher, the AP has divided the violations into three categories in the Fine Policy Rules 2019, to which increasing administrative fines are attached. The fine categories are 18/25 Date Our reference 18 June 2019 [CONFIDENTIAL] ranked according to the severity of the violation of the aforementioned articles, with category I containing the least serious violations and category II or III the most serious violations. Violation of Article 32, first paragraph, of the GDPR is classified in category II, for which a fine range between € 120,000 and € 500,000 and a basic fine of € 310,000 has been established. The AP uses the basic fine as a neutral starting point. The AP then adjusts the amount of the fine in accordance with Article 6 of the 2019 Fine Policy Rules on the basis of the factors mentioned in Article 7 of the 2019 Fine Policy Rules, by reducing or increasing the amount of the basic fine. This includes an assessment of (1) the nature, seriousness and duration of the infringement in the specific case, (2) the intentional or negligent nature of the infringement, (3) the measures taken to limit the damage suffered by those involved and (4) the categories of personal data to which the infringement relates. In principle, this remains within the range of the fine category linked to that infringement. The AP may, if necessary and depending on the extent to which the aforementioned factors give rise to this, apply the fine range of the next higher or next lower category respectively. 4.4 Fine amount 4.4.1 Nature, severity and duration of the infringement According to article 7, under a, of the Fine Policy Rules 2019, the AP takes into account the nature, severity and duration of the infringement. In assessing this, the AP takes into account, among other things, the nature, extent or purpose of the processing as well as the number of affected data subjects and the extent of the damage suffered by them. Article 32 of the GDPR, read in conjunction with NEN 7510 and 7513, obliges healthcare providers to confidentiality and care with regard to medical data. The importance of taking appropriate security measures lies, among other things, in maintaining and restoring the confidence of patients in the careful handling of their medical data. The shamefulness of this not only has an impact on the reputation of the healthcare providers involved, but on the entire sector. Security measures, such as measures related to two-factor authentication and regular checking of log files, are necessary measures to restore that trust. The Haga Hospital has not taken appropriate security measures regarding two-factor authentication and the regular assessment of log files since January 2018. The hospital information system does not have the built-in obligation - but only the option - to log in with two-factor authentication and it does not check the logging regularly. As a result, the necessary measures regarding the protection of personal data have not been taken during this period, in particular measures regarding the prevention and detection of (possible) unauthorized access to patient files. The violation will therefore continue in a structural manner for a long period, during which a large group of unauthorized persons can gain access to the health data of patients of the Haga Hospital. This is especially true in light of the data breach of the well-known Dutch person, in which the Haga Hospital established at the beginning of 2018 that a 19/25 Date Our reference 18 June 2019 [CONFIDENTIAL] large number of employees had unauthorized access to a patient file, it was up to the Haga Hospital to implement the standards - which also aim to prevent such unauthorized access - and to end the violation of Article 32 of the GDPR as soon as possible. In view of this, as well as the large number of patients involved who are included in the hospital information system29 and the type of personal data (health data), the AP believes that this is a situation in which that trust has been severely damaged. The AP considers this to be serious. To the extent that the period of the established violation concerns conduct by the Haga Hospital under the scope of the Wbp, it is important that the Haga Hospital also had to take appropriate technical and organizational measures under the Wbp regime - similar to the AVG regime - to protect the personal data.30 There is therefore no material change in the provision. Furthermore, failure to comply with the same obligation under the Wbp, albeit with a lower basic fine than under the AVG, is punishable with the same fine category and the same associated bandwidth. The AP also believes that under the Wbp regime there is serious culpable negligence31 on the part of the Haga Hospital, as the Haga Hospital also failed to take measures during this period to ensure the correct implementation of the use of two-factor authentication and the regular checking of log files. In view of the nature and scale of the processing, the Haga Hospital may be expected to satisfy itself of the standards applicable to it. The importance of this is reinforced by the data leak that occurred in January, which can be prevented and noticed by taking similar measures. In view of this, the AP takes into account a period from January 2018 to the present with regard to the duration of the violation, whereby it considers it particularly important that, in the AP's opinion, this constitutes a structural violation that is still ongoing. In view of the seriousness of the ongoing violation, the AP sees reason to increase the basic amount of the fine by €75,000 to €385,000 pursuant to Article 7, opening paragraph and under a, of the 2019 Fine Policy Rules. 4.4.2 Intentional or negligent nature of the violation Pursuant to Article 7, under b, of the 2019 Fine Policy Rules, the AP takes into account the intentional or negligent nature of the violation. The report “Investigation into unlawful access to patient files” drawn up by the Haga Hospital in May 2018 states that a large number of employees unlawfully consulted a patient file. They had no treatment or care relationship with the patient. Various measures are recommended, which 29 In this context, the AP refers to the figures from the Annual Report submitted by the Haga Hospital during the consultation hearing. In 2017, the Haga Hospital had (rounded) 28,500 admissions, 158,000 first outpatient clinic visits, 52,000 emergency room consultations and 143,000 nursing days. 30 Article 13 of the Wbp, read in conjunction with read in conjunction with article 3, second paragraph, of the Decree on electronic data processing by healthcare providers and the provisions under 9.4.1 and under 12.4.1 of NEN 7510 -2. 31 Article 66, paragraph 4, of the Wbp, which states that the AP will not impose an administrative fine until the AP has issued a binding instruction, unless the violation was committed intentionally or is the result of serious culpable negligence. 20/25 Date Our reference June 18, 2019 [CONFIDENTIAL] to supervise the taking of additional samples to test compliance with the regulations. As a participating member of the Data Breach Committee, the management of the Haga Hospital was aware of the unauthorized access to this patient file.32The Information Security Policy refers to NEN-7510 and NEN7513, which must be complied with. Since the measures taken do not concern the correct implementation of the use of two-factor authentication and the regular checking of the log files, but the Haga Hospital, given the nature and scope of the processing, may be expected to satisfy itself of the standards applicable to it, the AP is of the opinion that the Haga Hospital has in any case been particularly negligent in taking such measures. In doing so, the AP also takes into account the response of the Haga Hospital during the OTP that, in connection with follow-up actions due to the aforementioned data breach, it had no time available to implement a security measure that concerns the regular checking of log files. The Haga Hospital is responsible for the implementation of structures and resources that are tailored to the nature and complexity of the hospital. As such, it cannot legitimize violations of the GDPR by claiming a lack of resources. The fact that the Haga Hospital has no time available in connection with the implementation of other security measures does not therefore - whatever the case - release it from the obligation to also implement appropriate security measures that concern the prevention of the current ongoing violation. Nor does the finding of the Haga Hospital that, in its opinion, the aforementioned data breach was not a consequence of the fact that two-factor authentication and the regular checking log files as proposed in its opinion of 18 April 2019 has not yet been fully implemented. The AP also notes that two-factor authentication and regular checking of log files, in addition to the other security measures taken by the Haga Hospital in response to the aforementioned data breach, also concern the prevention and detection of unauthorized access to patient data. In the light of Article 32, first paragraph, of the GDPR, a set of measures must be taken. In view of the foregoing, the AP is of the opinion that the Haga Hospital has in any case been particularly negligent in taking appropriate security measures that concern the use of two-factor authentication and the regular checking of log files. In view of the negligent nature of the infringement, the AP sees reason to increase the basic amount of the fine by €75,000 to €460,000 pursuant to Article 7(b) of the 2019 Fine Policy Rules. 4.4.3 Measures taken Pursuant to Article 7(c) of the 2019 Fine Policy Rules, the AP takes into account the measures taken by the controller to limit the damage suffered by data subjects. Based on the report “Investigation into unlawful access to patient files” from May 2018, the Haga Hospital recommended a number of security measures on its own initiative. These measures included raising employee awareness, conducting random checks more frequently, taking stock of and, where necessary, adjusting authorizations and tightening the authorization policy and the warning text of the emergency button procedure. The AP has in its final 32 This is evident from page 4 of the report Investigation into unlawful access to patient files and the statement of [CONFIDENTIAL] Report of conversations OTP Haga Hospital. 21/25 Date Our reference June 18, 2019 [CONFIDENTIAL] reportofMarch2019concludedthattheaccesscontrolpolicyoftheHagaHospitalcomplieswiththeNEN7510-2standard.Furthermore,theAPconcludedthattheHagaHospitalhastakensufficientmeasureswithregardtotheawarenessofemployeeswithregardtoinformationsecurity.Inviewofthis,theAPassessedthattheHagaHospitalhastakenatleastsomeofthemeasuresrecommendedinthereportthatrelatetotheprotectionofpatientdatainthehospitalinformationsystemoftheHagaHospital. The downside of this is that the report “Investigation into unlawful access to patient files” explicitly states that more frequent random samples should be taken to check log files, which the Haga Hospital has not (yet) followed up on. The response of the Haga Hospital during the OTP that it did not have time available to take a security measure that concerns regular checking of log files in connection with follow-up actions due to the aforementioned data leak, does not release it from this obligation in view of the above under paragraph 3.3.3. Furthermore, the authentication component is primarily concerned with preventing unauthorized access to patient data. The Haga Hospital has wrongly not paid attention to this on its own initiative, which would have been more obvious in view of the aforementioned data leak. Now that the security measures that relate to the protection of patient data must be considered in their entirety, the AP sees no reason to reduce the basic amount of the fine on the basis of Article 7, under c, of the Policy Rules 2019. 4.4.4 Categories of personal data In accordance with Article 7, under g, of the Fine Policy Rules 2019, the AP takes into account the categories of personal data to which the infringement relates. The Haga Hospital processes a large amount of special personal data in the hospital information system.33 Unauthorised access to patient files can have serious adverse consequences for the protection of personal data concerning health. Now that the categories of personal data to which the infringement relates in the present case have also been taken into account in the assessment of Article 7, first paragraph, opening words and under a, of the 2019 Fine Policy Rules as a factor increasing the fine in terms of the nature of the infringement, the AP sees no reason to also independently increase the basic amount of the fine on the basis of Article 7, under g, of the 2019 Fine Policy Rules. 4.4.5 Other circumstances TheAPseesnoreasontoincreaseordecreasethebasicamountofthefinebasedontheothercircumstancesmentionedinArticle7ofthe2019FinePolicyRules,insofarasapplicableinthecaseathand.InsofarasHagaZiekenhuishasstatedthatitcooperatedwiththeAP'sinvestigationandhasdrawnupdirectactionplanstoaddressthefindingsfoundbytheAP. 33 https://www.hagaziekenhuis.nl/over-hagaziekenhuis/verslaglegging-en-verantwoording/kerncijfers.aspx Thenumberofadmissionsin2017was28,498,thenumberoffirstoutpatientclinicvisits158,176andthenumberoffirstaidconsultations52,241. 22/25 Date Our reference June 18, 2019 [CONFIDENTIAL] to improve imperfections, it is important that this cooperation does not go beyond its legal obligation to comply with Article 32, first paragraph, of the GDPR. The AP sees no reason to judge that the Haga Hospital has acted in a special way, which has significantly limited the consequences for the rights of those involved. In addition, the AP takes into account that the Haga Hospital - despite the aforementioned data leaks and the announced investigation by the AP in October 2018 - has not taken any measures since then and has not actually applied them to end the violation in the short term. In view of the foregoing, the AP sets the total fine amount at €460,000. 4.4.6 Proportionality Finally, the AP assesses on the basis of articles 3:4 and 5:46 of the General Administrative Law Act (principle of proportionality) whether the application of its policy for determining the amount of the fine, given the circumstances of the specific case, does not lead to a disproportionate outcome. According to the Fine Policy Rules 2019, applying the principle of proportionality also means that the AP, when determining the fine, takes into account the financial circumstances of the offender, if necessary. During the hearing, the Haga Hospital appealed to limited capacity to pay, substantiated by the draft annual accounts for 2018. In this context, it argues that the Haga Hospital retained [CONFIDENTIAL] in 2018 as a result of incidental income. The AP sees this as a reason to assume that the Haga Hospital would not be able to bear a fine of €460,000, given its financial position. 4.4.7 Conclusion The AP sets the total fine at €460,000.--. 5. Order subject to penalty 5.1 Reason Since it concerns a continuous violation of article 32, first paragraph, of the GDPR, this must be ended as soon as possible. For that reason, the AP imposes, in addition to the aforementioned fine, an order subject to penalty on the basis of article 58, second paragraph, opening and closing, of the AP, article 16, first paragraph, of the UAVG and article 5:32, first paragraph, of the Awb. 5.2 Beneficiary period and amount of penalty TheAPconnectstheorderunderpenaltywithabeneficiaryperiodoffifteenweeks.Indeterminingthisperiod,ittookintoaccounttheplanningfortheintendedmeasuresasincludedintheHaga Hospital’sopinionof18April2019.Duringtheopinionhearing,theHaga Hospitalexplainedthattheimplementationofthemeasuresasincludedinitsplanningandthattheplanningisrealistic.AlthoughtheplanningasdrawnupontheHaga Hospitalalsoassumesacheckoflogfileswithinthe 23/25 DateOurreference 18June2019 [CONFIDENTIAL] authorizationprofileofsix(regularorother)patientfilesandthisdoesnot,intheAP’sopinioninviewoftheforegoing,notbelongtotherequirementduetotheverylimitedsize security level, the AP does not see that the Haga Hospital cannot comply with Article 32, first paragraph, of the GDPR within this benefit period. It is important that the planning does include a weekly (manual) check of the logging of all patient files that have been consulted via the emergency button procedure - outside the authorization profile. It is not clear that it cannot comply with Article 32, first paragraph, of the GDPR within the benefit period with regard to the check of log files within the authorization profile. It is not required that the check of the logging covers all patient files that have been consulted within the authorization profile, but that the check is arranged in such a way that cases of unlawful processing that take place within the authorization can be detected to a sufficient extent. Since the question of whether Article 32, paragraph 1, of the GDPR is complied with at this point depends on the manner in which the check is carried out - for example on the basis of a profile of indications that it uses to prevent unlawful access to the brands - and the entire set of security measures in that context must be considered, the AP cannot indicate in advance the extent of a required regular check of the log files. The Haga Hospital must therefore explain how the (intended) check, according to the Haga Hospital in its case, contributes to an acceptable level to the signalling of unlawful access or use of patient data within the authorisation profiles. Article 5:32b, paragraph 3, of the General Administrative Law Act (Awb) prescribes that the penalty amounts must be in reasonable proportion to the seriousness of the interests violated and to the intended effect of the penalty. In the latter case, it is important that a penalty must provide such an incentive that the order is complied with. If the Haga Hospital does not end the established violation within fifteen weeks, it will forfeit a penalty payment for each two weeks after the expiry of the benefit period for each benefit period that the charge has not been (fully) paid. The AP sets the amount of this penalty payment for each two weeks after the expiry of the benefit period at an amount of € 100,000 (in words: one hundred thousand euros), up to a maximum amount of € 300,000 (in words: three hundred thousand euros). If the Haga Hospital wishes to prevent the forfeiture of the penalty payment immediately after the expiry of the benefit period, the AP advises the Haga Hospital to send the documents - with which the Haga Hospital can demonstrate that it is complying with the order subject to a penalty payment - to the AP for assessment in a timely manner, but no later than one week before the end of the benefit period. 6. Judgment Fine TheAPimposesanadministrativefineonHagaZiekenhuis,duetoviolationofArticle32,firstparagraph,oftheGDPR,readinconjunctionwithArticle3,secondparagraph,Decreeonelectronicdataprocessingbyhealthcareprovidersandtheprovisionsunder9.4.1andunder12.4.1ofNEN7510-2,intheamountof 24/25 DateOurreference 18June2019[CONFIDENTIAL] €460,000,--(inwords:fourhundredandsixtythousandeuro).34 Ordersubjecttopenalty Withinfifteenweeksafterthedateswithobservanceofthisdecree,inthecontextofdataprocessinginthehospitalinformationsystemofHagaZiekenhuis,accessibletoitsemployees,takemeasuresthatensurethat: 1.thisaccessisonlypossiblewiththeapplicationoftwo-factorauthentication; 2. the log files are regularly checked for unlawful access or unlawful use of patient data. If the Haga Hospital has not implemented the measures to (fully) comply with the order within fifteen weeks after the date of this decision, the Haga Hospital will forfeit a penalty of €100,000 (in words: one hundred thousand euros) for every two weeks after the end of the benefit period, up to a maximum amount of €300,000 (in words: three hundred thousand euros). Yours sincerely, Dutch Data Protection Authority, signed. Mr. A. Wolfsen Chairman Remedies clause Ifyoudonotagreewiththisdecision,youcansubmitanobjectiontotheDutchDataPersonalDataAuthoritywithinsixweeksafterthedateofsendingthedecision,digitallyoronpaper.Tosubmitadigitalobjection,seewww.autoriteitpersoonsgegevens.nl,undertheheadingObjectingtoadecision,atthebottomofthepageundertheheadingContactingtheDutchDataPersonalDataAuthority.Theaddressforsubmittingonpaperis:DutchDataPersonalDataAuthority,postbus93374,2509AJTheHague. Ontheenvelope,mention‘Awb-bezwaar’andput‘bezschrift’inthetitleofyourletter. Inyourobjection,atleastwrite: - yournameandaddress; - thedateofyourobjection; -thereference(casenumber)mentionedinthisletter;orattachacopyofthisdecision; -thereason(s)whyyoudonotagreewiththisdecision; - yoursignature. 34 The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB). 25/25
