Medical Software Company Fined €1.5M for Exposing 490k Patients’ Data
Dedalus Biology Was Fined by the French Data Protection Regulator (CNIL).
The unlawful exposure of sensitive data from inside a company’s network guarded perimeter to an external receiver is known as data leakage, also known as information leakage. Data leakage may occur in a variety of ways, both accidental and intended.
A data leak may occur either electronically or physically via USB drives, cameras, printers, and other devices.
Dedalus Biology was fined EUR 1.5 million by the French data protection regulator (CNIL) for breaking three sections of the GDPR (General Data Protection Regulation).
On February 23, 2021, a press article entitled “Confidential information of 500,000 French patients stolen from laboratories and disseminated online” was published by the newspaper Liberation. This article reported on the presence on a forum of a download link to a file containing the medico-administrative data of nearly 500,000 people: “According to specialists, the leak is on an unprecedented scale in France for data The file in question, which “CheckNews” was able to consult, contains the complete identity of nearly half a million French people, often accompanied by critical data, such as information on their state of health or even their password.
Dedalus Biology supplies services to thousands of medical labs around the nation, and the punishment is for disclosing confidential information about 491,939 patients from 28 different laboratories.
As part of the diligent online check, the file containing the medico-administrative data was downloaded. It emerged that the personal data of 491,840 patients were included, including:
– identification data: social security number, surname, first names, sex, postal address, telephone number, e-mail address, date of the last medical visit, date of birth;
– two columns of free comments containing in particular information relating to the pathologies of the patients (HIV, cancers, genetic diseases), the state of pregnancy, the drug treatments followed by the patient or even genetic data;
– identification data of the prescribing doctor: surname, first name, postal address, telephone number, e-mail address;
– data relating to the sampler: surname, first name, address, telephone number;
– data relating to the patient’s mutual insurance company: “Third-party payment ID” (series of numbers), postal address, telephone number;
– an “SR identifier” column and an “MP” column, corresponding, with regard to its content, to the identifiers and passwords used by the patient to connect to his space.
As BleepingComputer reports, due to the widespread distribution of this information on the internet, Dedalus Biology customers face the danger of being socially engineered, phished, deceived, or even blackmailed.
Dedalus Biology was found to have breached Article 29 of the General Data Protection Regulation (GDPR), which prohibits failure to comply with the controller’s instructions. More precisely, during a migration from a different vendor’s software, at the request of two medical labs, Dedalus collected far more information than was necessary by the transfer process.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
It also violates GDPR article 32, which holds data processors accountable for failing to safeguard data, lack of oversight, and security alert escalation on the server.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Three GDPR articles have been violated, including article 28 (need to produce a documented contract or legal act for data processing on behalf of the controllers), which was also violated in this case (laboratories).
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Due to the aforementioned infractions, the CNIL decided to impose a fine of 1.5 million Euros, which was deemed to be 10 percent of the company’s total annual sales.
In spite of Dedalus’s desire to be granted a more lenient penalty based on its willingness to cooperate with CNIL’s investigators, the data protection office pointed out that the company took no steps to limit the dissemination of the leaked data online, and thus there was no justification for recognizing mitigating factors.