France: CNIL fines Dedalus Biologie €1.5M following health data breach
The French data protection authority ('CNIL') announced, on 21 April 2022, that it had issued, on 15 April 2022, decision No. SAN-2022-009 of its restricted committee in which it fined Dedalus Biologie, a software solution provider for medicial analysis laboratories, €1.5 million for violations of Articles 28, 29, and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach.
Background to the case
Specifically, CNIL outlined that, on 23 February 2021, a data breach from two laboratories which Dedalus Biologie serviced was revealed in the press, concerning nearly 500,000 individuals and affecting various types of data including medical information (such as illnesses, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data), and was subsequently investigated by CNIL.
Findings of CNIL
In particular, CNIL found that Dedalus Biologie, to the extent that it provides laboratories with the tools, in particular computer software, to facilitate the implementation of processing, and acts only in the name and under the responsibility of the laboratories for the maintenance of the software and, if necessary, the migration to another software, for example, acts as a processor within the meaning of Article 4(8) of the GDPR in respect of personal data processing in question. Consequently, CNIL found Dedalus Biologie to be in breach of Article 28(3) of the GDPR, given that the contractual documents concluded between Dedalus Biologie and its customers did not provide for the information stipulated under the aforementioned provision.
In terms of the data breach itself, CNIL found that, as part of the migration of data from one tool to another, as requested by two laboratories using the services of Dedalus Biologie, the latter extracted a larger volume of data than required, and therefore processed data beyond the instructions given by the data controllers, in breach of Article 29 of the GDPR.
Finally, CNIL observed various shortcomings in terms of technical and organisational measures to secure the leaked data in the context of the abovementioned data migration, including:
- lack of specific procedure for data migration operations;
- lack of encryption of personal data stored on the problematic server;
- absence of automatic deletion of data after migration to the other software;
- lack of authentication required to access the public area of the server;
- use of user accounts shared between several employees on the private zone of the server; and
- absence of supervision procedure and security alert escalation on the server.
Therefore, CNIL found that Dedalus Biologie was in breach of Article 32 of the GDPR.
In view of the above, and considering the violation of affected data subjects' privacy as particularly harmful due to, among other things, the sensitive nature of the data in question, and the negligences committed by Dedalus Biologie deemed to be multiple and serious, CNIL decided to impose a fine of the aforementioned amount and to publish the decision.
UPDATE (5 May 2022)
EDPB publishes English summary of CNIL's decision to fine Dedalus Biologie €1.5M following health data breach
The EDPB published, on 4 May 2022, an English summary of CNIL's decision to fine Dedalus Biologie €1.5M following a health data breach.
You can read the summary here.