The Electronic Health Record (EHR) is an indispensable tool in healthcare. It provides healthcare professionals with quick and secure access to medical data, significantly improving the quality of care and treatment efficiency. However, this accessibility also comes with great responsibility. Unfortunately, it is not uncommon for healthcare workers to access records without medical necessity. A recent incident involving unauthorized access to the record of a football player in a mental health clinic once again highlights the vulnerabilities.

What happened?

A former professional football player was admitted to a mental health clinic. Within days, it became clear that several healthcare workers had accessed his medical record without permission and without having a treatment relationship. This was discovered during an internal audit, after which the involved staff members were suspended and an investigation was launched. This raises important questions about EHR security and ethics within the healthcare sector.

Why does this happen?

Healthcare workers have access to the EHR as part of their role, but that access is strictly tied to an active treatment relationship. Still, there are several reasons why records are accessed inappropriately:

  1. Curiosity – Well-known individuals often attract attention, and some employees may not be able to resist the temptation to see what’s in their file.
  2. Thrill-seeking – In an age where rumors spread quickly, the urge to know and sometimes even share sensitive information is strong.
  3. Lack of awareness of consequences – Some employees don’t realize that unauthorized access is not only unethical but can also have legal consequences.
  4. Lack of effective controls – Although monitoring is in place, incidents like this show that enforcement and preventive measures are still inadequate. Monitoring often occurs retrospectively.

What are the consequences?

Misuse of the EHR is a serious breach of privacy regulations, such as those outlined in the GDPR (General Data Protection Regulation). The consequences can be significant:

  • Sanctions for staff – Those who access records without authorization may face disciplinary actions, including suspension, termination, or even legal prosecution.
  • Damage to trust in healthcare – Patients must be able to trust that their medical data is safe. Incidents like this can seriously erode that trust.
  • Fines for healthcare institutions – The Data Protection Authority can impose substantial fines on institutions that fail to take adequate measures to prevent such misconduct.

How can this be prevented?

Although full prevention is difficult, healthcare institutions can take several measures to minimize abuse:

  1. Data classification and labeling – By classifying patient data based on sensitivity and applying labels, institutions can better determine which data require extra protection. This limits unauthorized access and ensures only authorized personnel have access to specific information.
  2. Data storage management – It’s crucial to know where sensitive data is stored—whether in the EHR, cloud environments, or local systems. Proper storage management prevents uncontrolled data spread and ensures data is managed securely and in compliance with regulations.
  3. Stricter access controls – Only employees with an active treatment relationship should be able to access patient records. Technical restrictions can prevent unauthorized access.
  4. Active monitoring and logging – Continuous monitoring of who accesses which records, with automatic alerts for unusual behavior.
  5. Awareness campaigns – Regular training and education on privacy rules and the consequences of misuse.
  6. Strict sanctions – A clear policy stating that violations lead to disciplinary actions, which can serve as a strong deterrent.

Active monitoring is essential!

Many healthcare institutions view monitoring as an administrative burden or a technical challenge. However, monitoring is crucial for gaining control over data flows, detecting unauthorized access, and ensuring compliance with laws and regulations. Without active monitoring, abuse often goes unnoticed or is detected too late. Effective monitoring not only provides control but also contributes to trust and protection for both patients and staff. Knowledge is power!

Balancing accessibility and privacy

The incident with the footballer is not an isolated case. It reflects a broader challenge in healthcare: how do we strike the right balance between accessibility and privacy? Healthcare institutions must continue investing in technological and organizational measures to ensure patient trust. Employees must be aware of the ethical and legal consequences of unauthorized access. Because in healthcare, the patient’s best interest must always come first—even when the patient is a public figure.

How can we help?

We are Fryqua, and we help healthcare organizations detect and prevent the misuse of sensitive information. With our active monitoring, you gain immediate insight into who is accessing your data—wherever it resides. Take back control of your information!
Want to know how we improve the balance between information accessibility and privacy? Feel free to contact us!

Source: AD.nl