Health data leak: 1.5 million euro fine against Dedalus Biologie
Published on 22nd Apr 2022
Following a massive health data leak disclosed in the press concerning nearly 500,000 persons in February 2021, the French Authority for Data Protection (CNIL) has fined the company Dedalus Biologie 1.5 million euros mainly for failure to comply with its data security obligation.
Dedalus Biologie is an application software editor and commercializes health and diagnosis e-management tools for biomedical analysis laboratories.
The amount of the fine was determined with regard to the seriousness of the breaches, and especially taking into account the fact that health personal data had been disclosed. The amount of the fine decided by the CNIL against Dedalus Biologie is the maximum amount permitted by French regulations. This is the first fine in this sector.
To take away, the CNIL:
- highlighted a failure to comply with the obligation to provide a formal contract or a legal act for the processing carried out by the Processor on behalf of the Controller, as required by article 28 of the GDPR.
For any subprocessing activities, a DPA (Data Processing Agreement) must be set forth.
- flagged the breach of the Processor's obligation to comply with the Controller's instructions (art 29 GDPR), as the Processor extracted a larger volume of data than required by the Controller, including health personal data (e.g. health issues, infertility etc.).
Controllers must give clear instructions and monitor processors’ activities at any time.
- found out there was a breach of the obligation to ensure the security of personal data (art 32 GDPR), due to technical breaches, such as :
- Lack of a specific procedure concerning data migration,
- Lack of data encryption for personal data stored on the FTP server,
- No automatic deletion of data after migration to the other software,
- No authentication required from the Internet to access the public area of the server,
- Use of user accounts shared by several employees on the private area of the server,
- Lack of supervision and security alerts on the server, although there were several previous warnings about the possible security breaches on this server.
In addition to the DPA, Controllers must set up robust security measures that Processors must comply with, and conduct systematic internal security investigations and audits of Processors.
In response, Dedalus Biologie asserted its willingness to attain the highest level of security and GDPR compliance, by reinforcing its IT infrastructures, enhancing its internal and external procedures, and appointing additional DPO and IT information services managers.
Entire CNIL decision (in French): please click here.