Search
Contact
19.07.2019 | KPMG Law Insights

Hague hospital fined up to 760,000 euros

Hague hospital fined up to 760,000 euros

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has imposed a fine of 460,000 euros on a hospital for failing to protect patient records from unnecessary access in the hospital information system. According to the report, at least 85 hospital employees unnecessarily and unauthorizedly accessed the medical records of a known patient without being involved in the patient’s care.

The regulator made it clear in its press release that the relationship between a healthcare provider and a patient is completely confidential. This also applies within the walls of a hospital. A hospital must therefore take all technical and organizational measures to ensure the security of patient data. Each hospital would need to regularly review who consults which record. This is the only way to take timely action if an unauthorized employee accesses a file.

Patient files should also be technically secured with at least two-factor authentication. Each time a patient record is accessed, a user’s identity would have to be logged by a code or password in combination with a personnel card. Uniform passwords for entire departments or the use of a common user name to avoid having to log in again each time are not permissible.

In order to implement these requirements effectively and as quickly as possible, the supervisory authority is putting the hospital under further pressure: as long as the safety precautions have not been improved, the hospital must pay an additional fine of another 100,000 euros every two weeks, up to a maximum of 300,000 euros. As a result, the hospital faces a maximum fine of 760,000 euros.

Already in October last year, a fine of 400,000 euros was imposed on a hospital in Portugal for a similar violation. The reason for this was also the lack of security of the patient file against access by non-treating medical staff. Even if the national supervisory authorities are in principle free to determine the level of fines, a comparable level of fines must also be expected in Germany for the inadequate security of patient records due to inadequate authorization concepts in hospital information systems.

Explore #more

10.07.2026 | KPMG Law Insights

New Packaging Implementation Act tightens obligations for companies

  Co-author: Séverine Sieprath, Director of Audit, KPMG AG Wirtschaftsprüfungsgesellschaft   The Packaging Implementation Act (VerpackDG),…

09.07.2026 | In the media

Op-Ed in *Versicherungsmagazin*: D&O Insurance—A Legal Safety Net in Turbulent Times

Liability risks for executives are increasing significantly: New regulatory requirements such as NIS-2, CSRD, and the Supply Chain Act are expanding the responsibilities of managing

02.07.2026 | KPMG Law Insights

Registered mail with return receipt no longer provides proof of delivery—here are some alternatives

Registered mail with return receipt, when used as part of electronic documentation, no longer constitutes prima facie evidence of a…

02.07.2026 | Deal Notifications

KPMG Law advises the Prinzhorn Group on the acquisition of Stora Enso’s German facilities

KPMG Law has advised Mosburger GmbH, a subsidiary of Dunapack Packaging and part of the Austrian Prinzhorn Group, on the acquisition of Stora Enso’s German…

02.07.2026 | In the media

KPMG Law Interview in Focus Business: EmpCo Is Coming: Sustainability Marketing Becomes a Top Priority

Stricter EU rules set clearer boundaries for climate pledges and social claims. KPMG Law expert Manuela Meyer explains which claims must be verified and how…

29.06.2026 | KPMG Law Insights

Embedding Digital Sovereignty in the Enterprise – Legal Requirements for IT Systems

Digital sovereignty is an important strategic success factor, and many measures are also required by law. Through legislation such as the Data Act, NIS-2, the…

25.06.2026 | In the media

KPMG Law Interview in fvw I Traveltalk: Upcoming EU Package Travel Directive — “For the industry, the real work is just beginning”

After more than two and a half years, the legislative process, including publication, was recently completed. Now the deadline for tour operators and travel agencies…

24.06.2026 | Deal Notifications

KPMG Law advised the shareholders of Zimmermann PV-Steel Group on the sale to Nextpower

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of Zimmermann PV-Steel Group (Zimmermann) on the sale of the company to Nextpower™ (Nasdaq: NXT), a…

23.06.2026 | KPMG Law Insights

Germany is modernizing its arbitration law

On June 10, 2026, the Federal Government presented a draft of the “Act on the Modernization of Arbitration Law.” Its aim is to adapt the…

18.06.2026 | In the media

KPMG Law Guest Article in *Innovative Administration*: Protection in Turbulent Times

Board members of municipal enterprises face personal, unlimited liability, which is further exacerbated by the unique characteristics of the public sector. D&O insurance protects their…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

Tel.: +49 761 769999-20
shoegl@kpmg-law.com

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

Tel.: +49 341 22572563
mringel@kpmg-law.com

© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll