Software company violated at least 72,000 Dutch people for years

Follow the Money states after its own investigation that the Dutch healthcare IT company Medworq for years violated the professional secrecy of at least 35 general practitioners by keeping files of at least 72,000 Dutch people unencrypted and not pseudonymised, with access for many, including pharmaceutical companies.

Medworq would have obtained the data through various means. This was mainly done via the Insider dashboard for general practitioners, developed by Medworq. GPs can use this to compare their patient data with those of similar cases at other practices. The aim of this is to be able to diagnose patients better, which makes care more efficient and cheaper. It is unclear how many practices use this system. Patient records are very strictly protected under the law.

Copies of patient data were available at the software company as a result of the use of this system. These copies were not pseudonymised, according to research by Follow the Money, internal documents and statements from former employees. The management of Medworq contradicts this. They also claim that in the early summer of 2020 all data was destroyed. The company is now virtually bankrupt.

A major source of Follow the Money is a whistleblower. He approached the medium with a hard drive from the company in his possession. It contained a copy of the data that Medworq had on a work laptop, as well as internal company documents. The whistleblower wanted to do something about the ‘large scale in which patient privacy was being violated’ at Medworq. One developer wrote in an internal memo that Medworq’s servers were “full of real medical records that no one knew where they came from.”

Not only within Medworq was the data apparently freely accessible to many, if not all, employees. Funders and clients of the Insider software were also able to access it. Pharmaceutical giant GlaxoSmithKline was the largest, but the pharmaceutical companies Amgen, NovoNordisk and Boehringer Ingelheim were also on that list. All of them had Insider user accounts. GSK was ‘by far’ the largest financier and at one point took a copy of Medworq’s complete database.

Before the whistleblower knocked on the door of FTM, this person first went to the Ministry of Health, the Military Intelligence and Security Service and the police, in vain. It is not clear why the Dutch Data Protection Authority is not in that list.

Whistleblowing in itself also constitutes a data breach. Medworq was informed about this thanks to a telephone call from the MIVD. Medworq immediately reported the theft. The employee in question left in 2019, and in 2020, Medworq was made aware of the data breach constituting the whistleblower. It is not clear what exactly the MIVD’s motivation in this case was. Medworq further claims to have informed the affected GP practices, but inquiries from FTM indicate that none of the 35 affected GPs or practices known to them have been contacted by Medworq.

Medworq distances itself from the FTM article and states that ‘it does not paint a good picture of how Medworq handled personal data of patients’. FTM’s research report is very extensive and the medium has also made a video of it to make the story better understandable. FTM is also working on part two of this story, in which they tell ‘how Medworq got millions to build a medical data collection for pharmaceutical companies – and what happened next’.

In this video Follow the Money summarizes this extensive story itself