Medical data breach leads to major fine from CNIL

Earlier this month, the CNIL imposed a fine of €1.5 million after a medical data breach affecting nearly 500,000 people revealed a company’s security flaws.

 

Early last year, a major data breach affecting nearly 500,000 people was reported. The breach involved information including users’ surnames, first names , social security numbers, names of their prescribing doctors, dates of their examinations, and most critically medical information on conditions (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data). In February 2021, the CNIL carried out several inquiries into the company DEDALUS BIOLOGY, a software company, which supports medical analysis laboratories. Based on the findings, CNIL concluded that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The CNIL decided to impose a fine of 1.5 million euros and to make this decision public. The amount of this fine was decided based on the seriousness of the violations, but also considered the turnover of the company.

 

CNIL sanctioned the software company for violating several GDPR obligations following the medical data breach.

 

Two companies requested the services of DEDALUS BIOLOGY for the migration from software to another tool. In this case, the company extracted a larger volume of data than was required to perform this task. The company has therefore processed data beyond the instructions given by the data controllers.

This breach of the obligation for the processor to comply with the instructions of the controller is a violation of article 29 of the GDPR. CNIL also fined the company over a breach of the obligation to regulate their processing by a formalized legal act as the maintenance contracts transmitted to CNIL by DEDALUS did not contain the information provided for by article 28-3 of the GDPR which stated that data processing “…shall be governed by a contract or other legal act under Union or Member State law…”

 

During its investigation, CNIL also encountered several technical and organizational faults in terms of security within DEDALUS BIOLOGY with regard to the operations of migrating the software to another. These included the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on a problematic server, as well as  the absence of automatic deletion of data after migration to the other software. In addition the company’s systems lacked the authentication required from the Internet to access the public area of ​​the server and had user accounts shared between several employees on the private area of the server. DEDALUS also lacked a supervision procedure and security alert escalation on the server. This lack of satisfactory security measures contributed to the data breach which compromised the medical and administrative data of nearly 500,000 people and violated  Article 32 of the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.