Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
France: CNIL fines CEGEDIM SANTÉ €800,000 for unlawful processing of health data
On September 12, 2024, the French data protection authority (CNIL) published its decision SAN-2024-013 as issued on September 5, 2024, in which it fined CEGEDIM SANTÉ €800,000 for violation of the General Data Protection Regulation (GDPR) and the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act) following an investigation.
Background to the decision
In particular, CNIL highlighted that CEGEDIM SANTÉ publishes and sells management software to healthcare workers, operating in 25,000 medical practices and 500 health centers, allowing healthcare workers to manage patient files and prescriptions. CNIL outlined that patient data was collected for a panel of doctors as part of an observatory. CNIL clarified that the patient data was encrypted and linked to a unique identifier which was not based on any identity trait of the patient, and that when patient files were accessed and then sent, the file was re-encrypted. Since the identifier is linked to the medical and administrative data of the same patient, the patient's history can be monitored for a single practice.
Findings of CNIL
Although CNIL noted that CEGEDIM SANTÉ alleged that the data is anonymized and thus not subject to the GDPR, CNIL provided that the patient health data was only pseudonymized and not anonymized. Specifically, CNIL referred to the Article 20 Working Party Opinion 05/2014 on anonymization techniques of April 10, 2014, to determine whether personal data may qualify as anonymous data, where it resists the following three risks:
- individualization, the possibility of isolating part or all of the records identifying an individual in the data set;
- correlation, the ability to link together at least two records relating to the same data subject or group of data subjects; and
- inference, the ability to deduce, with a high degree of probability, the value of an attribute from the values of a set of other attributes.
Accordingly, CNIL cited that since each patient is assigned a unique identifier for the same doctor, which is not based on any identity feature but is linked to the medical and administrative data of the same patient, patient data was sufficiently rich to allow the lifting of pseudonymity by reasonable means. Specifically, CNIL clarified that the replacement of directly identifying data with indirectly identifying data, though making it possible to process data without being able to identify data directly, did allow for the lifting of pseudonymity given the wealth of other patient information available.
Therefore, CNIL determined the data processed by CEGEDIM SANTÉ until at least 2022 was pseudonymous and not anonymous, and thus subject to the GDPR. CNIL held that CEGEDIM SANTÉ's 'HRi' online health insurance service, which provides access to the history of health reimbursements made by health insurance for a patient, was in violation of Article 5(1)(a) of the GDPR. CNIL clarified that since patient data was automatically downloaded by doctors when consulted, personal data was processed unlawfully without the necessary authorization required for consultation of health data as provided for by the National Health Insurance Fund.
In addition, CNIL reminded that pursuant to Article 66 of the Act, the processing of personal data in the health sector may only be conducted after authorization by CNIL. CNIL detailed firstly that CEGEDIM SANTÉ argued that it did not meet the definition of a health data warehouse since data was only retained for three months and was thus transitory in nature. However, CNIL found that CEGEDIM SANTÉ met this definition owing to the subsequent reuse of personal data, the continuous feeding of the database, and purposes of processing in the health sector. Consequently, CNIL determined CEGEDIM SANTÉ violated Article 66 of the Act for the failure to submit a request for authorization of processing alongside failing to send CNIL a declaration of conformity.
Outcomes
In light of the above, CNIL imposed a fine of €800,000 on CEGEDIM SANTÉ for violation of Article 5(1)(a) of the GDPR and Article 66 of the Act.
You can read the press release here and the decision here, both only available in French, and the European Data Protection Board (EDPB) summary here.