Demi Rietveld and Richard van Schaik of DLA Piper write:
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA”) has published its decision to impose an administrative fine of EUR 440,000 on Amsterdam hospital OLVG due to the lack of sufficient measures to prevent access to medical records by unauthorised personnel.
After complaints, the Dutch DPA conducted an investigation, and carried out an audit of the hospital’s information system and investigated, among others, security aspects such as authentication and verification of the logging. After the investigation, the Dutch DPA concluded that OLVG systematically failed to adequately safeguard access to medical records and identified two specific violations with regard to authentication and verification of logging.
Read more on Privacy Matters. I wonder if our OCR would ever take enforcement action like this for the same authentication and logging issues.