The CNIL has heavily sanctioned the company Dedalus Biologie, for security flaws that led to the leak of medical data, as well as a violation of the GDPR.
On Thursday, the National Commission for Computing and Liberties announced that it had sanctioned, a week earlier, the company Dedalus Biologie, which specializes in publishing system and network software in the field of health, after a data leak. impacting nearly 500,000 people. The CNIL imposed on the company, guilty of several breaches of the GDPR, a fine of 1.5 million euros.
Particularly sensitive health information that has a time leaked online
It was a whistleblower from Strasbourg, a former employee of Dedalus Biology, who allowed the revelation, on February 21, 2021, of a massive data leak concerning the personal information of around 500,000 people. The next day, the CNIL launched checks on the company, which describes itself as a European leader and world player in software solutions for medical analysis laboratories.
The leak includes personal data such as first and last name, social security number, date of examination, name of prescribing physician and other highly sensitive medical information of people stricken with HIV, cancer, genetic disease, those in a state of pregnancy or undergoing drug treatment, not to mention the genetic data which has also been disseminated on the Internet.
The CNIL considered that Dedalus Biologie had breached several obligations provided for by the GDPR. The authority notably criticizes the Strasbourg-based company for not having fulfilled its obligation to protect the personal data collected.
The CNIL quickly blocked access to the pirate site which hosted the stolen data
Several breaches of the GDPR have resulted in the sanction of Dedalus Biologie. First, the company extracted a larger volume of data than required as part of the migration from one software to another, requested by two laboratories that used Dedalus services. Then, there is obviously the failure to ensure the security of personal data, which materialized in the absence of encryption of personal data stored on the hacked server, the absence of authentication to access the public zone of the server, the absence of automatic deletion of data after migration to another software, or even the absence of a supervision procedure and the escalation of security alerts on the server. Particularly serious shortcomings.
Quickly, the CNIL, in parallel with the procedure, asked the Paris court, which has jurisdiction in the matter, to block access to the site on which the data was published. This was the case as of the decision of March 4, 2021, which limited in time the exposure of the leaked data.
At the end of the checks and at the end of the findings, the restricted CNIL panel sentenced the company Dedalus Biologie to a fine of 1.5 million euros, which may seem low, but which in reality is quite colossal for a health data leak. Above all, it corresponds to approximately 10% of the company’s 2020 turnover, by referring to public data, which testifies to the seriousness of the shortcomings retained by the data policeman.
On the same subject :
Consent: the turn of Google’s “reCAPTCHA” to be pinned by the CNIL
Source : CNIL
2