The Barbie case: GDPR and the mishandling of patient information

The Barbie case (The Netherlands): GDPR and the mishandling of patient information

Not all security breaches stem from sources outside of healthcare organisations, they can also stem from within the organisation.

In 2018, a Dutch local TV-show personality was admitted to a hospital in the Netherlands. Curious staff members sought access to this person’s medical file, while they were not part of the official treating medical team (Kolbasuk McGee, 2019). When this news reached the board of the hospital, they reported the incident to the Dutch supervisory authority (‘Autoriteit Persoonsgegevens’). While the incident occured in 2018, before the GDPR came into effect, the case was reviewed according to this new regulation. This due to the fact it was reported a long time after the GDPR came into effect. As a result of the investigation by the Dutch supervisory authority, the hospital received a fine of €460,000 under the GDPR. Additionally a fine of €100.000 per two weeks, with a maximum of €300.000, would be levied if the required security measures were not implemented before 2 Oktober 2019 (Autoriteit Persoonsgegevens, 2019; Kolbasuk McGee, 2019)

The Dutch supervisory authority concluded that the internal security of patient records was not up to standards. For instance, the hospital lacked two factor authentication for gaining access to medical records. Additionally, there was no regular review of the log files that register who has requested access to which files. All of which is required under the GDPR (Autoriteit Persoonsgegevens, 2019).

While proper internal security measures should have been in place, this case can also be attributed to the behaviour of the hospital’s staff members. As the Dutch supervisory authority stated, the relationship between the healthcare provider and the patient should be confidential, also within the walls of the hospital (Autoriteit Persoonsgegevens, 2019). And while the GDPR is relatively new, at its core, not much has changed with regards to privacy, so healthcare staff should have been aware of this issue (, 2019)

As this case begins to demonstrate, healthcare organisations should review internal logging systems and IAM (Identity and Access Management) regularly. Additional training, workshops or other form of reminders may help staff to remind them of their duties towards patient privacy. Hospitals may benefit from reviewing the organisation’s security culture, in order to see whether a larger challenge exists.


Autoriteit Persoonsgegevens. (2019, July 16). Haga beboet voor onvoldoende interne beveiliging patiëntendossiers. Retrieved 2 September 2019, from

Kolbasuk McGee, M. (2019, July 18). Patient Record Snooping Incident Leads to GDPR Fine. Retrieved 2 September 2019, from (2019). Trainer interviews report. Retrieved from