Dutch DPA: Orthodontic practice fined for unsecured patient website

10 June 2021 Netherlands

The Dutch Data Protection Authority (DPA) has imposed a €12,000 fine on an orthodontic practice for allowing new patients to register on an unsecured website. As a result, patients’ sensitive personal data, such as their citizen service number (BSN), could have fallen into the wrong hands.

‘When you register with an orthodontist, you entrust your personal data to them,’ explained DPA deputy chair Monique Verdier. ‘This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.’

Complaint about a privacy violation
The orthodontic practice’s unsecured website came to the DPA’s attention when a complaint was lodged. The DPA decided to investigate because the complaint concerned poor security in the healthcare sector, where data protection requirements are very strict. The web form that new patients used to register contained mandatory fields requiring all kinds of personal data, as well as data concerning the patient’s parents, general practitioner, dentist and insurance company. The information that patients provided on the form was then sent to the orthodontic practice over an unencrypted – and therefore unsecure – connection.

Extra protection for children
Most orthodontic patients are children, and this case concerned the personal data of mainly children. Children are considered an especially vulnerable group in privacy legislation and as such they are given extra protection under the law to prevent abuse of their personal data.

Sensitive information
‘You must be able to assume that your care providers not only protect the confidentiality of your personal data, but also that they take the protection of your data very seriously and have appropriate security in place,’ said Monique Verdier. ‘Unfortunately, that is not always the case. If the confidentiality of sensitive personal data is breached, this could put people at serious risk. It could, for example, lead to fraud.’

Further procedure
The DPA’s decision to impose the fine is not yet final and irrevocable. The orthodontic practice lodged an objection to the fine. The DPA declared the objection unfounded. The practice can submit an application for judicial review of that decision to the district court.

For further information, please contact the Dutch DPA: https://autoriteitpersoonsgegevens.nl/nl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.