Belgian data protection authority fines hospital after data breach for taking insufficient data protection measures

Our TMT team at Stibbe has extensive experience with applicable cybersecurity and data protection laws and regulations. Please do not hesitate to contact us if you have any questions about the decision or its application to your organisation.

Context of the attack

Following an earlier successful ransomware attack in 2019, the hospital's servers were hit by a second ransomware attack in 2021. The hospital notified the Belgian Data Protection Authority (“DPA”) of the data breach and issued a press release to inform the public about the incident. In its decision of 17 December 2024, the DPA ruled that the hospital had failed in its obligations to prevent such an attack by taking insufficient cybersecurity measures. Below, we summarise (i) the key lessons learned from this decision and (ii) the parameters that influenced the amount of the fine.

Key Lessons for organisations

1. Adopt an appropriate data protection impact assessment (“DPIA”)

A data protection impact assessment may indicate the means for early identification of a malware attack so that an organisation can take appropriate security measures in accordance with the risk related to a data processing activity. Organisations should also consider the specific risks of cyberattacks and data breaches in their sector to be included in a DPIA.

2. Adopt a coherent information security policy

Drawing up separate and unrelated documents, such as an “emergency plan” or staff regulations, is not enough to qualify as a coherent and formal information security policy. The information security policy should provide an overview of all measures, responsibilities and procedures and should be clear and accurate with the most up-to-date information approved by the person responsible for day-to-day management.

3. Implement technical security measures

Establishing technical measures is key. Depending on the sector and the risks related to the processing of personal data, these may include:

• regular staff training;
• effective and tamper-proof logging systems to monitor who had access to what information;
• the performance of a cybersecurity audit, in some cases annually, to examine deficiencies in information management systems; 
• the implementation of strong passwords for authentication purposes.

Criteria for imposing the fine

In accordance with the European Data Protection Board's 04/22 guidelines on the calculation of administrative fines under the GDPR, the DPA decided to impose a fine and developed a detailed assessment of the calculation.

The DPA first considers the type, severity and duration of the violations. The severity of the breaches is then determined by taking into consideration the number of individuals impacted, the type of processing, the goal of the processing, and the extent of the harm. The DPA also considers the mitigating measures taken by the hospital, such as the hospital's efforts to mitigate the impact and ensure patient care during the cyberattack, COVID-19, energy crisis and inflation.

Based on the criteria above, the DPA ultimately sets the final amount of the fine at EUR 200.000.

Conclusion

This decision is one of the first where the Belgian DPA addresses (a lack of) cybersecurity measures in the context of a cyberattack. The Belgian DPA clarifies that organisations have an active duty to take preventive cybersecurity measures, such as a thorough DPIA and sector-specific technical and organisational security measures. 

The DPA further appears to be ready to impose fines for lacking cybersecurity measures. Although the €200,000 fine is one of the highest to be imposed in Belgium, it still remains relatively low compared to the maximum fines in the GDPR. It remains to be seen whether the Belgian DPA continues this decision practice regarding inadequate cybersecurity  measures and whether it will further continue increasing the amounts of its fines.