CNIL imposed a €800,000 fine on Cegedim Santé for the unauthorized and unlawful processing of sensitive health data.
In 2021, Cegedim Santé, a company specializing in management software for general practitioners and health centers, came under scrutiny from the French data protection authority, CNIL. The company provides software to around 25,000 medical practices and 500 health centers, enabling doctors to manage schedules, patient records, and prescriptions. However, CNIL investigations revealed that Cegedim Santé was unlawfully processing sensitive health data. The company had collected non-anonymous data from its software users without proper authorization, using it for research and statistical purposes, leading to significant privacy concerns.
Cegedim Santé violated privacy laws by using pseudonymous data that risked re-identifying individuals.
The primary issue involved Cegedim Santé’s handling of pseudonymous data, which, although partially masked, could still potentially lead to the re-identification of individuals. The data included details such as birth year, gender, medical history, and prescriptions, all linked to a unique patient identifier. This allowed for the reconstruction of an individual’s healthcare history, raising concerns about data security and privacy risks. CNIL’s restricted committee emphasized that such data was not fully anonymous, and because re-identification was possible, it violated privacy laws.
Cegedim Santé breached the French Data Protection Act by processing sensitive health data without CNIL authorization.
Under the French Data Protection Act, the processing of health data must either have CNIL authorization or comply with specific regulations, neither of which Cegedim Santé fulfilled. The company failed to obtain the necessary authorization or declare its compliance with the regulatory framework for handling personal health data. This breach, coupled with the fact that the data was highly sensitive, led to severe sanctions. CNIL deemed the company’s actions to be particularly serious, given the scope and nature of the data processed.
Cegedim Santé unlawfully processed patient health data by automatically downloading reimbursement histories from the “HRi” teleservice without patient consent or the option to prevent collection.
Additionally, Cegedim Santé’s integration of the “HRi” teleservice further compounded its violations. This service, provided by the French health insurance system, allowed doctors to access patient health reimbursement histories. However, Cegedim Santé’s system automatically downloaded this data without the patient’s consent or the option to prevent collection. This was considered unlawful processing, as it failed to give doctors the choice to consult the data without it being collected.
Due to these breaches, CNIL fined Cegedim Santé €800,000, highlighting the necessity of strict compliance with data protection laws despite the company no longer controlling the processed data.
As a result of these breaches, CNIL imposed a fine of €800,000 on Cegedim Santé. Although the company no longer controls the data processed, having passed this responsibility to another entity within its group, the severity of its non-compliance with data protection laws warranted this substantial penalty. The case serves as a reminder of the importance of strict adherence to privacy regulations, especially when handling sensitive health information.