糖心直播

Erasmus School of Law
Erasmus School of Law

Unauthorised access to mental health records: No breach of professional secrecy, but a duty of extra protection

  • Thursday 25 Sep 2025, 10:30
  • In the media

This year, several incidents came to light in which mental health care (GGZ) employees accessed medical records without being involved in the patient鈥檚 treatment. A former patient in Eindhoven discovered that 160 staff members had viewed her data. In Gelderland, ten employees who were not part of the treatment team accessed the file of a former professional football player, and in Rotterdam, a patient received, after an inquiry by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), a log list showing more than 360 names of GGZ employees who had viewed her record.

In Trouw, Martin Buijsen, Professor of Health Law at Erasmus School of Law, spoke about the legal implications. 鈥淥nly treatment team members are allowed to access the record,鈥 he said. 鈥淭he law is clear on this. Others need the patient鈥檚 consent. Nevertheless, it happens regularly that healthcare employees look into records without authorisation, though rarely on such a large scale.鈥

The role of the Dutch data protection authority

The AP has the power to impose sanctions, but does so infrequently. 鈥淎lthough the healthcare sector leads in data breaches, relatively few fines have been issued,鈥 Buijsen noted. 鈥淚n 2021, OLVG Hospital was fined 鈧440,000 for insufficient security of medical records. In 2019, Haga Hospital received a similar fine and a penalty order for inadequate internal security.鈥

He emphasised that simply keeping log files is not enough to fulfil the duty of care. 鈥淭he AP requires active security measures. This can mean implementing two-factor authentication even for internal staff. Merely registering those who log in is insufficient.鈥

Unauthorised access: No breach of professional secrecy, but a violation of privacy

Strictly speaking, this does not constitute a breach of professional secrecy, Buijsen explained. 鈥淢edical professional secrecy is breached when a healthcare provider bound by confidentiality shares data with a third party without legal grounds to do so. That is not the case here. However, it is a violation of the patient鈥檚 informational privacy. Institutions are obliged to protect that data adequately.鈥

Professor
Martin Buijsen, Professor of Health Law
  • Erasmus School of Law
More information

Read the article from Trouw (in Dutch).

Related content
Long waiting lists for mental health services: Are health insurers failing their duty of care?
In this article, Martin Buijsen discusses the long waiting times for mental health services and the duty of care that health insurers have to provide this care.
  • Monday 15 Jul 2024
  • General
pati毛ntendata

Compare @count study programme

  • @title

    • Duration: @duration
Compare study programmes