The Cnil imposed a fine of 1.5 million euros on the software publisher Dedalus after a massive leak of data, sometimes sensitive, in medical analysis laboratories, which had affected nearly 500,000 people, a-t she indicated on Thursday.
A symbolic fine
"The amount of this fine was decided in view of the seriousness of the breaches retained but also taking into account the turnover of the company Dedalus Biologie", indicated this Thursday the policeman of personal data in a press release.
The accessible data included "surnames, first name, Social Security number, name of the prescribing doctor, date of the examination but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or still genetic data)”, recalled the Cnil in its press release.
A revelation of Liberation
The leak had been revealed in particular by the daily
Liberation
and the specialized cybersecurity blog
Zataz
in February 2021. A file containing 491,840 names was circulating freely on at least one forum referenced by search engines.
Dedalus was guilty of "many technical and organizational shortcomings in terms of security" in the context of "migration operations" from one software to another, said the CNIL in its press release.
28 laboratories involved
Among the shortcomings retained, the Cnil cites in particular "the absence of encryption of personal data on the problematic server", and "the absence of authentication required" to "access the public zone of the server" from the Internet.
The data leak concerned 28 laboratories in 6 departments of the Brittany, Center-Val-de-Loire and Normandy regions, according to information given at the time by Dedalus.
The French army, including some members of the foreign intelligence services, had also been affected by this hacking, the specialized site Intelligence Online indicated at the time.
Company
Coronavirus: A computer flaw makes the personal data of thousands of people tested accessible
By the Web
Cyberattacks: The CNIL predicts a doubling of personal data breach cases in 2021
Health
CNIL
Medical error
Laboratory