The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, or AP) has announced that it will begin auditing data security practices in the healthcare sector in the coming months. The authority plans to conduct spot checks through visits to healthcare organizations that handle sensitive patient information. The aim is to assess whether these providers are protecting personal data properly, with particular attention to medical data.
What the AP will be looking for
Healthcare organizations in the Netherlands are required to protect personal data under the GDPR (known locally as the AVG). In practice, that means ensuring patient information is only accessible to people who genuinely need it for their role, and that the organization has security controls in place to prevent misuse, accidental exposure, or cyberattacks.
During inspections, the AP is expected to examine both:
- Technical safeguards such as access controls, system security, and measures that reduce the likelihood of unauthorized access.
- Organizational safeguards such as policies, procedures, monitoring, and how access rights are assigned, reviewed, and enforced.
Why healthcare is a priority
Medical data is among the most sensitive categories of personal information. It can reveal diagnoses, treatments, medications, and other highly private details that people reasonably expect to remain confidential. At the same time, healthcare organizations often rely on complex systems and workflows that involve many staff members, vendors, and inter-organizational data exchanges—each of which can introduce security and privacy risks.
The AP has signaled that the sector remains vulnerable to incidents such as:
- Data breaches caused by weak security controls or system misconfiguration.
- Unauthorized “curiosity access,” where staff members view records without a legitimate reason.
- Cyberattacks targeting healthcare organizations because medical data can be highly valuable.
- Mistakes during information sharing between healthcare institutions or service providers.
How the AP plans to approach these checks
The audits are intended to do more than just identify problems. The AP has indicated that these visits will also have a practical dimension—helping organizations understand what is expected and where they may need to strengthen their controls. Inspectors may review how patient data is protected day-to-day, how access to medical records is managed, and whether safeguards are consistently applied across the organization.
What this means for healthcare providers
This enforcement initiative is a clear signal that the AP is making healthcare data security a near-term priority. Providers that have not recently reviewed their access governance, security controls, breach readiness, and internal oversight should treat these inspections as a reason to accelerate improvements. Beyond legal compliance, strong safeguards are essential to maintaining patient trust and protecting the integrity of care.
