Throughout the last couple of years, the healthcare sector in the Netherlands has been one of the frontrunners in terms of the amount of data breaches reported to the Dutch Data Protection Authority (2017, 2018, 2019). With the recent data breach of the GGD, exposing the personal data of tens of thousands getting tested for the coronavirus, the crucial issue of data breaches in the sector has received very strong public attention as well. This blog provides insight into how a data breach can be recognised, what practical steps organisations can take to reduce the risk of a breach, and how organisations can respond.
Current events
Recently, the Dutch public has been made all too familiar with data breaches, as during the midst of the COVID-19 pandemic, it became apparent that there is a large-scale trade in personal data of tens of thousands of Dutch citizens, originating from the two main corona systems of the Public health department GGD. The data includes addresses, telephone numbers, citizen service numbers and test results. Previously, The HagaZiekenhuis in The Hague was in the spotlight after it was fined € 460,000 for an incident in which dozens of employees illegally accessed the digital patient file of a Dutch celebrity.
It’s not new
According to the latest annual report of the Dutch Data Protection Authority, the number of (reported) data breaches in 2019 increased by 29% to a staggering 27.000, data breach notifications. The report highlighted that the healthcare sector had the second highest number of data breach notifications, similar to previous years. Most (reported) data breaches occurred because personal data was sent to the wrong
Types of data breaches
To recognise a data breach, we first have to know what a data breach is. Data breaches can occur in various shapes and sizes:
The above overview shows that a data breach is far from being limited to incorrectly sent e-mails or hacked systems. Instead, data breaches can occur in many different ways. It is important to recognise a data breach in time, so that action can be taken.
After a data breach
After a data breach has been identified, it is first of all important - where possible - to take damage-reducing measures. If, for example, a laptop containing personal data has been lost, it may be possible to delete this data remotely. In addition, the data breach must usually be reported to the AP and (additionally) in certain cases also to the parties involved.
“A data breach must be reported to the AP within 72 hours after the discovery of the breach, unless the breach does not pose a risk to the 'rights and freedoms' of the individuals involved.”
It can be difficult to assess whether there is such a (high) risk. The EDPB guideline 'Notification requirement for Personal data breaches', can help with this. For example, a data breach due to data being sent to the wrong recipient does not always need to be reported if it concerns a 'reliable recipient' (e.g. recipients such as doctors who are bound to professional secrecy).
The AP mentions in this regard:
“Health data is generally very sensitive. If this type of data is accessed by unauthorised persons, the risk for the data subjects will generally be high. Even if the incorrect recipient destroys or returns this data after it has been viewed. This is because there has already been a major breach of the privacy of the data subject. Data breaches involving Citizen Service Numbers, 'BSN', [PP: which are frequent in healthcare and insurance, as the patient must be identified before providing care] generally also pose a high risk, particularly if additional personal data has also been leaked. If the BSN, in combination with other personal data, falls into the hands of unauthorised persons, the data subjects may run a risk of (identity) fraud.”
The starting point is therefore that data breaches must be reported to the AP. In addition, a data breach must always be recorded in the data breach register. This is also the case if the data breach does not need to be reported to the AP and/or the parties concerned.
If you use a solution like PrivacyPerfect, you can take care of most of these steps with the help of automation.
Prevention
Various measures can be taken to reduce the risk of a data breach. Awareness within the organisation is essential here. Additionally, with the following actionable insights, you can can help reduce the risk of the most common types of data breaches:
Conclusion
A data breach can happen quicker than you might initially think. It is therefore important to be well prepared. For the healthcare sector in particular, where highly sensitive personal data is processed on a large scale, it’s crucial to reduce risks, and if the breach happens, the impact of the data leak wherever possible. Compromised sensitive patient data does not only affect the data subject, but also the trust of the patient, and the reputation of the organisation. It is therefore critical to raise awareness on the importance of data privacy throughout the organisation so that employees at every level know what a data breach is, are alert to it, know what to do if one occurs, and have all the necessary tools at their disposal so they can keep doing what they do best - providing healthcare.
If you would like to learn more about the the added value of data privacy compliance for healthcare organisations, please click here to download our paper, specifically focusing on Dutch care and -cure organisations (*in Dutch).