A Dutch Court has been considering a case between a health institution and an individual who was a patient there. The plaintiff who has brought the case against the hospital has done so following medical information about them turned up in a book that was published.
The individual experienced a difficult divorce with their ex-partner who then proceeded to write a book about it. Included within this book was medical information about the plaintiff.
Under Article 32 of the GDPR, businesses have a duty to ensure personal data is processed with adequate security. It also requires a risk assessment to be done to ensure that security is adequate. Controllers and processors can be released from liability if they can prove that they are not responsible for damages caused by unlawful processing.
The plaintiff went to court as they claim the hospital is liable as they did not have sufficient measures in place to protect their data and they failed to adequately investigate the breach.
The information that ended up in the book was found to have been accessed by an ex-employee of the hospital. This employee went on to work at the publisher that published the book and also became the new partner of the ex that wrote the book. When the book was published the plaintiff asked for access to the logging data for her patient record. Records showed that this ex-employee had been accessing their file for 4 years.
The plaintiff claimed the hospital was liable for damages caused by their employee. It was found that the monitoring policy of the hospital was not up to standard which is why this went undetected. Logging by employees with unrestricted access was not monitored and only two random files were pulled for analysis a month. This falls short of the necessary standards given the amount of data the hospital processes.
The hospital when contacted said they sufficiently investigated the breach. But they could have handled it better as they failed to contact the individual it involved. When contacted by the plaintiff they said that the employee involved had their contract terminated. However, it was clear they had violated Article 32 of GDPR as there was not adequate security for the plaintiff’s data.
The plaintiff’s right to privacy and data protection were violated. The data involved is considered a special category of data due to its sensitive nature. Not only was it insufficiently protected and therefore unlawfully accessed but it was accessed continuously over a long period of time. This medical information was then shared and published in a book.
The Court found that it was clear the plaintiff will have suffered adverse consequences from this, such as anxiety. Therefore, they are entitled to fair compensation. The Court ordered the hospital to pay €2,000 ($1,957 USD) to the plaintiff.
See more news involving GDPR.