19.07.2019 | KPMG Law Insights

Hague hospital fined up to 760,000 euros

Hague hospital fined up to 760,000 euros

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has imposed a fine of 460,000 euros on a hospital for failing to protect patient records from unnecessary access in the hospital information system. According to the report, at least 85 hospital employees unnecessarily and unauthorizedly accessed the medical records of a known patient without being involved in the patient’s care.

The regulator made it clear in its press release that the relationship between a healthcare provider and a patient is completely confidential. This also applies within the walls of a hospital. A hospital must therefore take all technical and organizational measures to ensure the security of patient data. Each hospital would need to regularly review who consults which record. This is the only way to take timely action if an unauthorized employee accesses a file.

Patient files should also be technically secured with at least two-factor authentication. Each time a patient record is accessed, a user’s identity would have to be logged by a code or password in combination with a personnel card. Uniform passwords for entire departments or the use of a common user name to avoid having to log in again each time are not permissible.

In order to implement these requirements effectively and as quickly as possible, the supervisory authority is putting the hospital under further pressure: as long as the safety precautions have not been improved, the hospital must pay an additional fine of another 100,000 euros every two weeks, up to a maximum of 300,000 euros. As a result, the hospital faces a maximum fine of 760,000 euros.

Already in October last year, a fine of 400,000 euros was imposed on a hospital in Portugal for a similar violation. The reason for this was also the lack of security of the patient file against access by non-treating medical staff. Even if the national supervisory authorities are in principle free to determine the level of fines, a comparable level of fines must also be expected in Germany for the inadequate security of patient records due to inadequate authorization concepts in hospital information systems.

Explore #more

14.11.2023 | Press releases

Tax and Law at a glance – New issue of the digital magazine “Talk

“Talk” stands for Tax and Law Compass, because that’s what the digital magazine wants to be: a navigation aid to the legal and tax aspects…

10.11.2023 | Deal Notifications

KPMG Law and KPMG AG Wirtschaftsprüfungsgesellschaft advise Ziemann Holvrieka on the acquisition of Künzel Maschinenbau

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Ziemann Holvrieka GmbH from Ludwigsburg on the acquisition of the majority of shares…

09.11.2023 | KPMG Law Insights

Mantelverordnung: New rules for mineral substitute building materials

On 01.08.2023, a number of laws came into force or were amended with the framework ordinance on the recycling of mineral waste: the ordinances…

08.11.2023 | Deal Notifications

KPMG Law advises Wide Open Agriculture on the acquisition of assets of Prolupin GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised Wide Open Agriculture Limited (WOA) on the agreement to acquire the assets of Prolupin GmbH. The agreement provides…

08.11.2023 | Deal Notifications, Press releases

KPMG Law advises Wide Open Agriculture on the purchase of assets of Prolupin GmbH

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) has advised Wide Open Agriculture Limited (WOA) on the agreement to acquire assets of Prolupin GmbH. The agreement provides…

07.11.2023 | KPMG Law Insights, KPMG Law Insights

GWB amendment: These interventions threaten after sector inquiries

On April 5, 2023, the German government passed the 11th amendment to the Act against Restraints of Competition (GWB), the so-called Competition Enforcement Act.…

01.11.2023 |

Guest article in the “Versicherungswirtschaft” on autonomous driving

Autonomous cars are supposed to be the future. For the insurance industry, the development is accompanied by new risks, but also promising market prospects. In…

01.11.2023 | KPMG Law Insights

The MoPeG is coming – Here’s how GbRs with real estate should act now

On January 1, 2024, the German Act on the Modernization of Partnership Law (MoPeG) will come into force. Then the civil law partnership (GbR) has…

31.10.2023 |

Philipp Glock on the use of generative AI in the current issue of Juve Rechtsmarkt

ChatGPT has ushered in a new information age. The same applies to law firms: If you want to keep up, you have to stay on…

25.10.2023 | KPMG Law Insights

Podcast series “KPMG Law on air”: Company pension schemes in times of inflation

In times of inflation, both employers and beneficiaries worry about how the devaluation of money will affect company pension plans (bAV). Pension commitments are generally…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

tel: +49 341 22572563

© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.