Concerns over Dutch medical sector’s use of Amazon cloud for patient information storage

Medical device manufacturers use Amazon’s cloud services to store data from hospital patients. That means that sensitive information about diagnoses and treatments goes from the medical specialist in the Netherlands, through the device's manufacturer, directly to the United States, where intelligence services can access that data. Follow the Money came to this conclusion after studying 147 contracts between university hospitals in the Netherlands and suppliers of medical equipment obtained through the Government Information (Public Access) Act.

The first thought is whether this sensitive medical data is adequately secured and encrypted. But that is not even the biggest problem, Gerrit-Jan Zwenne, a lawyer and professor of data protection in Leiden, said to FTM. Even giving Amazon the benefit of the doubt, believing that the tech giant protects data well, this is still a significant problem.

According to Zwenne, Amazon is powerless against the intelligence agencies in the U.S. If the NSA, FBI, or any other agency shows up with a warrant signed by a judge ordering Amazon to give up specific information, the company can do nothing but provide the requested data. “In America, a duty of confidentiality can also be imposed, the so-called gag order,” Zwenne said. “Amazon is then not even allowed to tell a hospital that it had to provide data to an intelligence service.”

In 2020, the European Court of Justice banned the transfer of personal data to the United States because the country does not offer the same level of protection as the EU. That makes sending patient data to the U.S. completely unlawful, Gerard Ritsema van Eck, a data and privacy expert at the University of Groningen, told FTM. The Dutch Data Protection Authority confirms that on its website - under the Dutch General Data Protection Regulation (APV), it is “in principle not permitted to pass on personal data to the U.S.”

Medical data is, by definition, very privacy sensitive and is protected under the Medical Treatment Contracts Act (WGBO), which doctors use for professional secrecy. But when data comes into companies’ hands, that confidentiality is no longer guaranteed. The WGBO protection expires, and the APV applies, which offers far fewer guarantees. That is very concerning, several experts told FTM.

“It is a risk to place sensitive data with companies that can make money from it,” Lotje Beek of Bits of Freedom, a foundation that advocates for digital civil rights, said to FTM. “Consider, for example, data showing that someone is pregnant. Then Amazon can show advertisements that respond to this. It is a goldmine for such platforms.”

The average patient does not even realize that their private data ends up with commercial parties like manufacturers of diagnostic instruments, Haykush Hakobyan of privacy watchdog Privacy First added. “Let alone that they know that those parties then enlist Amazon for the storage or analysis of that data,” he said. “The fact that manufacturers are scrambling behind the scenes to get to your data is a risk. You have no insight into your data and no control. The more parties, and the more complex the service, the less chance you have of exercising your rights as a patient.”