19.07.2019 | KPMG Law Insights

Hague hospital fined up to 760,000 euros

Hague hospital fined up to 760,000 euros

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has imposed a fine of 460,000 euros on a hospital for failing to protect patient records from unnecessary access in the hospital information system. According to the report, at least 85 hospital employees unnecessarily and unauthorizedly accessed the medical records of a known patient without being involved in the patient’s care.

The regulator made it clear in its press release that the relationship between a healthcare provider and a patient is completely confidential. This also applies within the walls of a hospital. A hospital must therefore take all technical and organizational measures to ensure the security of patient data. Each hospital would need to regularly review who consults which record. This is the only way to take timely action if an unauthorized employee accesses a file.

Patient files should also be technically secured with at least two-factor authentication. Each time a patient record is accessed, a user’s identity would have to be logged by a code or password in combination with a personnel card. Uniform passwords for entire departments or the use of a common user name to avoid having to log in again each time are not permissible.

In order to implement these requirements effectively and as quickly as possible, the supervisory authority is putting the hospital under further pressure: as long as the safety precautions have not been improved, the hospital must pay an additional fine of another 100,000 euros every two weeks, up to a maximum of 300,000 euros. As a result, the hospital faces a maximum fine of 760,000 euros.

Already in October last year, a fine of 400,000 euros was imposed on a hospital in Portugal for a similar violation. The reason for this was also the lack of security of the patient file against access by non-treating medical staff. Even if the national supervisory authorities are in principle free to determine the level of fines, a comparable level of fines must also be expected in Germany for the inadequate security of patient records due to inadequate authorization concepts in hospital information systems.

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

tel: +49 341 22572563

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.