OLVG hospital – €440,000 Fine (Netherlands, 2020)

The AP received two data breach notifications from the OLVG Foundation about access by employees and work students to electronic patient records. In response to these data breach notifications, the AP initiated an investigation into OLVG's compliance with Article 32(1) of the GDPR by inspecting, among other things, authentication, and verification of the logging procedures. The AP announced the investigation in a letter dated 17 April 2019, and asked questions to OLVG. These questions were answered by a letter dated 3 May 2019. On 22 May 2019, five inspectors from the AP conducted an on-site investigation at one of the locations of OLVG. During this investigation, the inspectors checked different components of the hospital’s information system. Oral statements were also taken from members of the Executive Board and various employees of OLVG. The AP sent the report of findings to OLVG on 10 February 2020. On February 17, 2020, the AP sent OLVG a letter to announce the intention to enforce. OLVG provided its views on this intention in writing on 27 March 2020 and orally on 25 June 2020. Since 19 October 2015, OLVG has been using a new information system to store which electronic patient records. OLVG provided medical care to approximately 500,000 patients in 2018 alone, which leads the AP to conclude that the hospital processes personal data, including special category (health) data under GDPR, on large scale. The AP found two potential issues. 1. Two-factor authentication. The AP found that employee authentication was done in two ways, depending on whether access is requested from inside or outside the OLVG network. When logging in from within the OLVG network, the employees must use their usernames and passwords to access their virtual workstations (VDI); a second factor like a staff pass or a token are not required in this case. A single sign-on functionality is also used, allowing the employee who is already logged in to the VDI immediate access to the hospital in