In the case of the leak of 500,000 medical records of French patients, the CNIL has just delivered its verdict. The IT policeman has decided to impose a fine of 1.5 million euros for negligence on the software publisher Dedalus. She blames the company for several security flaws that led to this massive leak.
Remember, in February 2021, the medical files of 500,000 French patients were hacked and found themselves in plain sight on the web. This information came from a database of over thirty medical biology laboratories located in the northwest of France.
In particular, we found rather sensitive data as “the surnames, first name, social security number, name of the prescribing doctor, date of the last examination but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or genetic data)” , as the CNIL reminds us. Following this massive leak, a Rennes company had also developed a free tool to find out whether or not your medical data had been compromised.
In the days following this major leak, the CNIL had carried out several checks with the company Dedalus Biologie, a company specializing in the development and sale of software solutions for medical analysis laboratories. After a lengthy investigation, the CNIL has just published its verdict this Thursday, April 21, 2022. Thus and on the basis of the findings made following these checks, the restricted formation of the CNIL (a body responsible for pronouncing sanctions) “considered that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data”.
The CNIL imposes a heavy fine on Dedalus for negligence
In fact, the institution decided to impose a fine of 1.5 million euros on the company Dedalus France. This amount has been setin view of the seriousness of the breaches identified, but also taking into account the turnover of the company DEDALUS BIOLOGY”. Here is in detail the various breaches observed in the obligation to ensure the security of personal data, as provided for in Article 32 of the GDPR:
- Lack of specific procedure for data migration operations
- Lack of encryption of personal data stored on the problematic server
- Lack of automatic deletion of data after migration to the other software
- Lack of authentication required from the Internet to access the public area of the server
- Use of user accounts shared between several employees on the private zone of the server
- Absence of supervision procedure and reporting of security alerts on the server
As the CNIL specifies, these insufficient security measures are mainly responsible for the leakage of medico-administrative data of these 500,000 French patients.