Dutch MP fined for hacking into medical file system

While the MP said he acted as an ethical hacker, his actions were disproportional, the court said

Dutch Member of Parliament (MP) Henk Krol was fined ¬750 (US$1,000) by the district court of Oost-Brabant on Friday for breaking and entering the system of the Dutch medical laboratory Diagnostics for You. Krol said he entered the system as an ethical hacker to show that it was easy to access and download confidential medical information.

Krol, leader of the Dutch 50plus party, accessed the systems of the laboratory with a login and password he had obtained from a patient of the clinic, who in turn had overheard the information at the laboratory from a psychiatrist that worked there, the court said in its ruling.

Krol became an MP when he was elected in September last year. Before that he was editor-in-chief of the magazine Gay Krant and was a member of the provincial parliament of the province of Noord-Brabant.

In April last year, Krol used the login information to enter the company's Web server and subsequently viewed and downloaded medical files of several patients. He did this to prove how easy it was to get access to the systems, according to the ruling.

Krol printed the files, redacted them and informed the laboratory of their faulty security. But he also reported his actions to local TV station Omroep Brabant, in whose presence patients' medical records were accessed again, the court said.

"The court finds that any infringement of an automated work without consent of the owner is punishable," unless there are very special circumstances that serve higher interests that fully justify such an infringement, the court said.

The court, however, agreed with Krol that the detection of defects in the protection of confidential, medical data can serve a substantial public interest. Krol said he acted as a journalist and ethical hacker at the time of the breach.

The fact that he logged into the website and consulted some files was not unlawful, the court said. Similarly, downloading and printing the files to demonstrate the failures and scale of the security risk are defensible, it added. Krol also handled the information carefully because he redacted the printed files, the court noted.

It was however disproportional that Krol proceeded to view and print more files than necessary to prove his point, the court said. In addition, he should have given the laboratory more time to fix the problem and should have tried to contact them more than once before he informed the media, the court said.

Krol only knew of one employee that acted carelessly with login information. "Therefore, the problem was not so acute that immediate use of media was necessary," the court said.

The court said it does not doubt Krol's good intentions, but that he did exceed the boundaries set by law. Because there are no signs that Krol will repeat his actions in this manner, he was only fined ¬750, while the prosecution asked for a ¬1,500 fine, the court said. Krol's tipster was fined ¬250.

Krol couldn't be reached for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies