Health data breach: DEDALUS BIOLOGIE fined 1.5 million euros

02 mai 2022

On 15th April 2022, the CNIL's restricted committee imposed a sanction of 1.5 million euros on the company DEDALUS BIOLOGIE, in particular because of security weaknesses that led to a medical data breach concerning nearly 500 000 individuals.

On 23rd February 2021, a massive data breach regarding nearly 500,000 people was revealed in the press, involving the company DEDALUS BIOLOGIE. The name, first name, social security number, name of the prescribing doctor, date of the examination, but also, and above all, medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people were thus released on the Internet.

On 24th February 2021, the CNIL carried out several investigations regarding the company DEDALUS BIOLOGIE, which sells software solutions for medical analysis laboratories.

At the same time, the CNIL referred the matter to the Paris judicial court, which blocked access to the website on which the leaked data was published. This decision of March 4, 2021 has limited the consequences for the individuals concerned.

Based on the elements collected during the investigations, the restricted committee (the CNIL body in charge of issuing sanctions) considered that the company didn't fulfil several obligations provided for by the GDPR, in particular the obligation to ensure security of personal data.

Therefore, the restricted committee imposed an administrative fine of 1.5 million euros and decided to make its decision public. The amount of the fine was decided in view of the severity of the breaches observed but also by considering the turnover of the company DEDALUS BIOLOGIE.

Breaches

Breach of the obligation to process data under the authority of the controller or processor (Article 29 of the GDPR)

In the context of the migration of a software package to another tool, requested by two laboratories using the services of DEDALUS BIOLOGIE, the latter extracted a larger volume of data than required.

The company therefore processed data beyond the instructions given by the data controllers.

Breach of the obligation to ensure security of processing (Article 32 of the GDPR)

Numerous technical and organizational breaches in terms of security were found against DEDALUS BIOLOGIE in the context of the migration of the software to another:

  • lack of a specific procedure for data migration operations;
  • lack of encryption of personal data stored on the problematic server;
  • no automatic deletion of data after migration to the other software;
  • no authentication required from the Internet to access the public area of the server;
  • use of user accounts shared by several employees on the private area of the server;
  • lack of a procedure for monitoring and reporting security alerts on the server.

This lack of satisfactory security measures was one of the data breach causes that compromised the medical and administrative data of almost 500,000 people.

Breach of the obligation to provide a formal legal framework for the processing operations carried out on behalf of the data controller (Article 28 of the GDPR)

The general conditions of sale proposed by the company DEDALUS BIOLOGIE and the contracts of maintenance transmitted to the CNIL do not contain the mentions provided for in article 28-3 of the GDPR.