The National Commission for Computing and Liberties (CNIL) has just announced that it has imposed a fine of 1.5 million euros on Dedalus, a software supplier involved in the leak of medical data of 500,000 French people.
A major data leak
On February 23, 2021, the press revealed that a database containing the medical information of half a million French people was freely accessible on the web. Quickly, the company Dedalus, which markets software to several laboratories, was called into question. A few months later, the government promised extremely strong penalties in case of negligence.
NATO exercises cyber warfare a few hundred kilometers from Ukraine
The data involved was particularly sensitive and included “ the surname, first name, social security number, name of the prescribing doctor, date of the examination but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data) of these people have thus been disseminated on the internet “, explains the CNIL in his press release.
The Commission quickly carried out checks with Dedalus and also seized the Paris court which ordered the blocking of the site hosting this information from March 4, 2021, which “ to limit the consequences for people “.
A fine for numerous breaches identified by the CNIL
More than a year later, the CNIL therefore renders its verdict in this case by imposing a fine of 1.5 million euros on Dedalus, a sanction decided ” decided in view of the seriousness of the shortcomings identified but also taking into account the company’s turnover “.
The CNIL considers that Dedalus has not complied with the GDPR, European law on the protection of personal data. Photography: Christian Lue / Unsplash
The regulator explains that the company has breached many obligations under the General Data Protection Regulation (GDPR). Thus, the CNIL denounced the absence ” specific procedure for data migration operations ” and of ” encryption of personal data stored on the problematic server “. Also, Dedalus did not automatically erase the data after migrating it to another software.
Finally, the Commission noted the absence procedure for monitoring and raising security alerts on the server ” as well as ” the use of user accounts shared between several employees on the private zone of the server “.
Dedalus promises to have made many changes
For the time being, however, the perpetrators of the theft and sale of the data online have not been identified. For its part, Dedalus claims to have resorted to many changes since this case was brought to light. As explained The worldthe firm claims to have “ deployed all possible measures ” for ” identify possible vulnerabilities » and having worked at « remedy the shortcomings identified by the CNIL “.
She also claims to have carried out the “ reinforcement of certain IT infrastructures “, to ” the improvement of several internal and external procedures “, spear ” an important component of internal training” and carried out “additional hirings in the departments responsible for corporate cybersecurity.