Breach Of Patients’ Data Leads To Heavy Sanctions In France – Privacy Protection | #cybersecurity | #cyberattack

To print this article, all you need is to be registered or login on

At the end of February 2021, the French Data Protection
Authority (CNIL) found out via the media about a massive personal
data breach involving health-related data of about 500,000 French
patients. After more than a year of investigation, CNIL has
published its decision (available in French only)
imposing a fine of 1.5 million euros against DEDALUS BIOLOGIE, a
company processing the data on behalf of medical analysis
laboratories. The company has not appealed, but the CNIL’s
decision indicates that a processor can be sanctioned for the lack
of a data processing agreement incorporating Article 28 General
Data Protection Regulation (GDPR) provisions with the controller.
In addition, a processor can be sanctioned for failure to abide
with the controller’s instructions and for insufficient
security measures.

Background context

The personal data leaked in the breach included the following
categories of personal data:

  • Identification data, such as social security number (SSN),
    surname, first name, gender, postal address, telephone number,
    email address, date of last medical visit and date of birth.

  • Information relating to patients’ pathologies (i.e., HIV,
    cancers, genetic diseases), pregnancy status, drug treatments
    followed by the patient or genetic data.

  • Identification data relating to the physician.

According to the CNIL’s preliminary findings issued in
February 2021, this breach appeared to be “of a particularly
large and serious scale.” The controllers involved in this
leak were medical analysis laboratories, although the CNIL has not
publicly disclosed the identity of these companies. As of February
24, 2021, the CNIL has carried out several controls, in particular
with the company that markets software solutions for such medical
analysis laboratories. More precisely, the processor provides the
laboratories with tools to facilitate the implementation of the
treatments. The CNIL’s decision establishes the role of the
company as a processor, as it acts on behalf and under the
responsibility of the laboratories for the maintenance of the
software and, if necessary, the migration toward another

CNIL’s decision

Based on the findings of its investigation, the CNIL considered
the processor to have failed to comply with several obligations
under the GDPR, in particular the obligation to ensure the security
of personal data. The three sanctioned breaches are listed

1. Failure of the processor to comply with the instructions of
the controllers (Article 29 GDPR)

In the context of the migration of the service provider’s
software to another updated tool, which was requested by two
laboratories using its services, the software provider extracted a
volume of data greater than what was requested by the controllers.
The company therefore processed data beyond the instructions given
by the data controllers.

2. Failure to ensure the security of personal data (Article 32

The CNIL pointed out numerous security loopholes within the
framework of the operations of migration of one software toward
another, including:

  • Absence of a specific procedure for the operations of data

  • Absence of encryption of personal data stored on the server at

  • Absence of automatic deletion of the data after migration to
    the other software.

  • No authentication required from the internet to access the
    public area of the server.

  • User accounts shared by several employees in the private area
    of the server.

  • Lack of supervision and security alerts on the server.

As a result of such failures, the investigation revealed that
unauthorized third parties gained access to the personal data
concerned, which resulted in the disclosure on forums of the file
containing the medico-administrative data of the affected data

3. Failure to implement a data processing agreement (Article 28

Processors and controllers have an obligation to enter into a
data processing agreement (DPA). The general terms of service of
the processor and the related maintenance contracts did not contain
a DPA, resulting in a breach of Article 28 GDPR.

Key takeaways

  • Failure to implement a DPA can be held against a
    The service provider has been sanctioned as a
    processor for its failure to implement a DPA. The CNIL did not take
    into account the processor’s arguments that the conclusion of a
    DPA constitutes an obligation for both the data controller and the
    processor, which was used to justify that it should not be held
    solely responsible for this failure. Indeed, the CNIL noted the
    fact that the obligation resulting from Article 28 GDPR is
    incumbent on both the controller and the processor.

  • Failure at a privacy by design stage by the processor
    can result in a failure to comply with the controller’s
    The concept of privacy by design requires
    controllers to consider privacy concerns at the outset of data
    processing practices, rather than applying features retroactively.
    The CNIL could not accuse the processor of having failed to
    implement privacy by design requirements in its tool. However, the
    CNIL’s decision shows that DEDALUS BIOLOGIE’s tool was not
    designed in a way that would have allowed the company to comply
    with the controllers’ instructions. Indeed, in the context of
    migrations, the tool only allowed a total extraction of the patient
    file of the concerned laboratory, without the possibility of adding
    filters on the fields to be exported in order to extract only those
    requested in accordance with the controller’s instructions.
    This failure led to a breach of Article 29 GDPR by the

  • Processors also can be subject to a significant fine
    for their own failures.
    Insofar as the company had been
    found in breach of Articles 28, 29 and 32 GDPR, the maximum fine
    that could be imposed was the higher of 10 million euros or 2% of
    annual worldwide turnover. As the company reported revenues of 16.3
    million euros in 2020, the CNIL based its sanction on the maximum
    fine of 10 million euros, rather than the 2% of annual turnover
    threshold (which should not have exceeded 326,000 euros).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

12 Steps To Take Before And During A Data Breach

Godfrey & Kahn S.C.

Your organization, like many others, probably recognizes the severe risk that a data breach poses. No one wants their employees’ or benefit plan participants’ personal information to be stolen.

State Of US Data Privacy Law Compliance

Womble Bond Dickinson

In May 2017, the world of data privacy was irreparably changed when four members of the Chinese military hacked into credit-reporting company Equifax, exposing the personal information of nearly 150 million Americans.

Original Source link

Leave a Comment

forty − 38 =