Two doctors have been fined by CNIL for having insufficient data protection, and neglecting to notify of a recent data breach.
Last month, in France, CNIL announced that two doctors were found to be in breach of articles 32 and 33 of the GDPR. Following a September 2019 online check, the two doctors had thousands of images hosted on their servers, freely available online. Upon investigation, the doctors were concluded to have poorly configured their internet box, as well as their medical imaging software, leading to the data breach. The doctors were charged €3,000 and €6,000 respectively, and while the CNIL thought it unnecessary to publish the names of the doctors in question, they expressed the importance of the publicity of these decisions in an effort to alert health professionals to their obligations and the need to strengthen their vigilance on security measures.
The doctors fined by the CNIL, failed to adequately protect data thereby breaching article 32 of the GDPR.
According to article 32 of the GDPR, data controllers and processors are responsible for implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk in order to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. A data protection impact assessment would have notified the doctors in advance of the faults in the configuring which led to the data breach.
Article 32 of the GDPR states “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
By not adequately notifying the CNIL of the data breaches, the two doctors breached article 33 of the GDPR as well.
According to article 33 of the GDPR controllers need to make a notification of any data breaches without undue delay, and where possible, within 72 hours of realizing that data has indeed been breached. After being notified that the images were freely accessible, the two doctors should have made the mandatory notifications, but failed to do so. According to the GDPR, this is a necessary step “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This data breach compromised the medical images of the doctors’ clients, directly infringing on their rights, making it necessary to notify the authority.
CNIL made these decisions public in order to send a message to other medical professionals to ensure compliance with the GDPR.
While CNIL did not find it necessary to publicize the doctors’ names, they felt it was important to report on the incident to implore other health professionals to be vigilant with their measures for data protection. The aim is to encourage professionals to choose application solutions offering the maximum guarantees in terms of IT security and personal data protection. If not, these professionals risk the same fate for not being cautious when developing and configuring their internal IT system. The CNIL suggests that professionals employ competent service providers where necessary, to ensure compliance.
