Leak of health data: fine of 1.5 million euros against the company DEDALUS BIOLOGY | CNIL – CNIL |

On February 23, 2021, a massive data leak concerning nearly 500,000 people was revealed in the press, which implicated the company DEDALUS. The surname, first name, social security number, name of the prescribing doctor, date of the examination but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data) of these people have thus been disseminated on the internet. As of February 24, 2021, the CNIL carried out several checks, in particular with the company DEDALUS BIOLOGY which markets software solutions for medical analysis laboratories. At the same time, the CNIL seized the Paris court which blocked access to the site on which the leaked data was published. This decision of March 4, 2021 made it possible to limit the consequences for people. Based on the findings made during the inspections, the restricted committee – the CNIL body responsible for pronouncing sanctions – considered that the company had breached several obligations provided for by the GDPR, in particular the obligation to ensure the security personal data. The Restricted Committee thus imposed a fine of 1.5 million euros and decided to make its decision public. The amount of this fine was decided with regard to the seriousness of the breaches identified but also taking into account the turnover of the company DEDALUS BIOLOGY. Violations sanctioned A breach of the obligation for the subcontractor to respect the instructions of the data controller (article 29 of the GDPR) In the context of the migration of software to another tool, requested by two laboratories using the services from DEDALUS BIOLOGY, the latter extracted a larger volume of data than required. The company has therefore processed data beyond the instructions given by the data controllers. A breach of the obligation to ensure the security of personal data (article 32 of the GDPR) Numerous technical and organizational breaches in terms of security have been held against the company DEDALUS BIOLOGY in the context of the migration operations of the software to another: lack of specific procedure for data migration operations; lack of encryption of personal data stored on the problematic server; absence of automatic deletion of data after migration to the other software; lack of authentication required from the internet to access the public area of ​​the server; use of user accounts shared between several employees on the private zone of the server; absence of supervision procedure and security alert escalation on the server. This lack of satisfactory security measures is one of the causes of the data breach which compromised the medical and administrative data of nearly 500,000 people. A breach of the obligation to regulate by a formalized legal act the processing carried out on behalf of the data controller (article 28 of the GDPR) The general conditions of sale offered by the company DEDALUS BIOLOGY and the maintenance contracts transmitted to the CNIL do not contain the information provided for in article 28-3 of the GDPR.