Hospital – €200,000 Fine (Belgium, 2024)

€200,000Autorité de Protection des Données17 December 2024Belgium
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A hospital in Belgium was fined for not protecting patient data during a ransomware attack. The attack affected about 300,000 individuals because the hospital lacked proper security measures. This case highlights the need for healthcare providers to have strong data protection policies.

What happened

The hospital was fined for failing to secure its systems against a ransomware attack.

Who was affected

Approximately 300,000 patients whose data was compromised were affected.

What the authority found

The Belgian Data Protection Authority found that the hospital did not conduct a required data protection impact assessment and lacked adequate security measures.

Why this matters

This ruling serves as a wake-up call for healthcare organizations to implement robust data protection strategies. It underscores the importance of safeguarding sensitive patient information.

GDPR Articles Cited

AI-verified

Art. 24(GDPR)
Art. 32(GDPR)
Art. 5(1)(f) GDPR
Art. 35(3) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 35(3) GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
amount discrepancy
Belgium enforcementAutorité de Protection des Données actionsAll Hospital actions
Full Legal Summary
Detailed

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident, such as employee training and the implementation of a process for security updates of IT equipment.

Related Enforcement Actions (0)

No other enforcement actions found for Hospital in BE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 December 2024

Authority

Autorité de Protection des Données

Fine Amount

€200,000

Enforcement Tracker ID

ETid-2521

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hospital - Belgium (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: