On April 15, 2022, the restricted formation of the Cnil imposed on the company Dedalus Biologie a fine of 1.5 million euros. Security flaws had led to a leak of the medical data of nearly 500,000 people.
On February 23, 2021, a massive data leak concerning nearly 500,000 people was discovered, making public the surname, first name, social security number, name of the prescribing doctor, date of the examination but also and above all medical information ( HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data) of the victims.
The next day, the Cnil carried out several checks, in particular with the company Dedalus Biologie, which markets software solutions for medical analysis laboratories, and seized the Paris court, which blocked access to the site on which the leaked data. A year later, the restricted formation of the Cnil pronounced a sanction against the company.
“Based on the findings made during the checks, the restricted committee considered that the company had breached several obligations provided for by the GDPR, in particular the obligation to ensure the security of personal data.indicates the CNIL. The restricted formation thus imposed a fine of 1.5 million euros and decided to make its decision public.. A decided amount “in view of the seriousness of the shortcomings identified”but also taking into account the turnover of the incriminated company.
The CNIL reports a “breach of the processor’s obligation to comply with the controller’s instructions (article 29 of the GDPR)”, Dedalus having extracted a larger volume of data than that required as part of a migration from one software to another tool. A migration for which is also noted “a breach of the obligation to ensure the security of personal data (article 32 of the GDPR)”and a “breach of the obligation to regulate by a formalized legal act the processing carried out on behalf of the data controller (article 28 of the GDPR)”.