According to the results of investigations by the DDPA, two regional electronic patient files, as well as the information systems of several Dutch hospitals, have been determined to be in breach of the Act on the Protection of Personal Data (APPD)8. With respect to the regional electronic patient files, the DDPA determined that individuals whose medical data were processed, were not notified thereof in advance. Moreover, there were insufficient safeguards to ensure that only the attending physician could access the medical data of the relevant patient. Finally, structural controls to identify unauthorised access by others than the attending physician were lacking. With respect to the hospital’s information systems, the DDPA determined – inter alia – that hospitals had no understanding of the security risks involved with their processing of medical data which comprises, by definition, highly sensitive data. The DDPA has urged the relevant organisations to take immediate corrective action. In the case of the hospitals involved, the DDPA reinforced this by imposing an order subject to a penalty for non-compliance9.