Hospital convicted for failing to protect medical records

The Bravis Hospital in Roosendaal has to pay a patient compensation because the security of medical files was not in order. The Zeeland-West Brabant court ruled on this on Wednesday. It is the first time that a hospital has had to compensate a patient for a data breach.

A hospital secretary illegally looked at the medical records of acquaintances for at least four years. The employee had unrestricted access to the medical records because she worked in the emergency department.

She viewed her partner’s ex-wife’s ex-wife’s medical records a total of 347 times between June 2014 and July 2018, it revealed NRC earlier. She set up a publishing house that self-published a book by her partner. This “revenge novel” described her husband’s divorce with his ex-wife, incorporating medical details about the former partner.

According to the judge It must be assumed that the secretary shared the medical information with her partner – who was the ex-partner of the female patient – ​​and that he incorporated this information into his book. The book has since been banned.

The Dutch Data Protection Authority initially did not act against Bravis’ extensive data breach. The regulator launched an investigation in response to the publications in NRC. The regulator called the image “worrying” at the time. It is unclear what happened after that to the investigation that opened in December 2020. The AP was unable to comment on Wednesday afternoon.

‘Supervisor falls short’

Lawyer Paul Tjiam, who assists the patient, says that the supervisor is failing, as a result of which the victim of the data breach was forced to sue her in court. “That’s what you get if you don’t do anything as a supervisor.”

The judge established that the hospital did not check at all which files employees with unrestricted access consulted. A data officer also selected “only two patient records on a monthly basis” for review. “This (evidently) means there is no systematic and risk-oriented control. Moreover, this control was also insufficient in scope, given the scale of processing in the hospital.”

The victim discovered the data breach herself in 2018 when she inquired at the hospital who had had access to her file. The secretary was also found to have used emergency procedures ten times to look at her file and that of her mother and daughter. These procedures exist so that staff can view medical records in an emergency. The emergency access to the files involved was never noticed by Bravis hospital.

According to the judge, this concerns ‘a special category of personal data, namely medical personal data from a patient file of a hospital. Over a long period of four years, these data were frequently viewed unlawfully and were also insufficiently protected during this period. In addition, medical information has also been shared with third parties and published in a book.”

Therefore, the patient is entitled to compensation. The hospital has to pay her 2,000 euros, in addition to the reimbursement of the legal costs. The woman demanded a considerably higher sum of 15,000 euros.

The hospital was unable to comment on the verdict on Wednesday afternoon.

ttn-32