Vaccination data shared with RIVM without consent: report

Some 700 patients' Covid-19 vaccination data was shared with public health institute RIVM without the patients' consent, BNR found in its own research. The problem came through an error in one of the systems used by general practitioners, which did not properly register whether or not a patient gave permission for their personal data to be shared.

A total of 70 general practices use the system in question, the developer told BNR. The temporary software error has now been resolved, the developer said. 500 of the involved patients clearly indicated that their information should not be shared. Of the other 200, it is not known whether they gave consent.

The RIVM confirmed to the broadcaster that it received the data without the patients' explicit consent. This happens every now and again, and the RIVM tries to remove the data as soon as possible, a spokesperson said.

Health service GGD also shares Covid-19 vaccination data with the RIVM. A spokesperson told BNR that the GGD does not know of any cases in which vaccination data was shared without consent, but cannot rule out the possibility.

The Ministry of Public Health said it was pleased that the problem was adequately identified and resolved.

But privacy experts were more negative. Paul Korremans of Privacy First called this a very serious mistake. "It is a very serious invasion of the privacy of the individuals involved. The fact that people explicitly stated that their information may not be shared makes it even worse."

According to Hans de Raad, owner of OpenNovations, which specializes in medical software and cybersecurity, this never should have happened. "If you work with medical, highly sensitive data, extra strict standards apply. It seems like at least one of the basics was skipped here," he said to the broadcaster. Developers are supposed to run a risk analysis and keep checking the software. "If you applied this, then it is very strange that this error was only discovered months later."

Korremans told BNR that not only the developer is at fault here. "GPs should be more aware of the sensitivity of medical data and look much more critically at the work of the developer."