The Cnil imposed a fine of 1.5 million euros on the software publisher Dedalus after a massive leak of data, sometimes sensitive, in medical analysis laboratories, which had affected nearly 500,000 people, a-t she indicated on Thursday.
A symbolic fine
“The amount of this fine was decided in view of the seriousness of the breaches retained but also taking into account the turnover of the company Dedalus Biologie”, indicated this Thursday the policeman of personal data in a press release.
The accessible data included “surnames, first name, Social Security number, name of the prescribing doctor, date of the examination but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or still genetic data)”, recalled the Cnil in its press release.
A revelation of Liberation
The leak was revealed in particular by the daily Release and the specialized cybersecurity blog Zataz in February 2021. A file containing 491,840 names circulated freely on at least one forum referenced by search engines.
Dedalus was guilty of “many technical and organizational shortcomings in terms of security” in the context of “migration operations” from one software to another, said the CNIL in its press release.
28 laboratories involved
Among the shortcomings retained, the Cnil cites in particular “the absence of encryption of personal data on the problematic server”, and “the absence of authentication required” to “access the public zone of the server” from the Internet.
The data leak concerned 28 laboratories in 6 departments of the Brittany, Center-Val-de-Loire and Normandy regions, according to information given at the time by Dedalus. The French army, including some members of the foreign intelligence services, had also been affected by this hacking, the specialized site Intelligence Online indicated at the time.