The French Data Protection Authority (CNIL) has penalized Dedalus Biologie 1.5 million euros for violating health data.
The massive data breach affected nearly 500,000 people, including their personal information and, above all, their medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people.
The Case’s Background
Dedalus Biologie provides laboratories with tools, specifically computer software, to facilitate processing implementation.
A data breach from two laboratories serviced by Dedalus Biologie was revealed in the press. The data breach affected nearly 500,000 individuals and affected various data types, including personal medical information (illnesses, genetic diseases, pregnancies, drug treatments, etc), and was subsequently investigated by CNIL.
What CNIL found
CNIL determined that Dedalus Biologie violated Article 28(3) of the GDPR since the commercial papers established between Dedalus Biologie and its clients did not include the information required under the above-indicated clause.
CNIL discovered that as part of the data migration from one tool to another (as requested by two laboratories using Dedalus Biologie’s services). One extracted a larger volume of data than required and thus processed data beyond the instructions given by the data controllers, violating GDPR Article 29.
Finally, CNIL discovered many flaws in technological and organizational procedures to safeguard the exposed data mentioned above, including:
- a lack of a standardized protocol for data migration procedures;
- a lack of encryption of personal data kept on the server;
- a lack of data erasure the following transfer to other software;
- a lack of authentication required to access the server’s public area; use of user accounts shared by several employees on the server’s private zone; and
- a lack of supervision procedure and security alert escalation on the server.
As a result, CNIL determined that Dedalus Biologie violated Article 32 of the GDPR.
Outcome
In light of the previous, and considering the violation of affected data subjects’ privacy to be harmful due to the specific type of data in question, as well as Dedalus Biologie’s multiple and serious negligences, CNIL decided to impose the fine as mentioned above and publish the decision.