The French data protection authority, Commission Nationale Informatique & Libertés (CNIL), has determined the French laboratory software provider, Dedalus Biologie, violated articles 28(3), 29, and 32 of the General Data Protection Regulation (GDPR) and has been ordered to pay a €1.5 million penalty to resolve the violations.
Dedalus Biologie provides software solutions to medical analysis laboratories in France. In February 2021, the French periodical ZATAZ and other media outlets reported that a dataset that included the personal and health information of close to 500,000 French citizens had been shared online on hacking forums. The file, which had 491,840 lines of data, included up to 60 pieces of information on individuals, including their names, addresses, telephone numbers, prescribing doctor names, social security numbers, dates of service, blood types, medical conditions, treatments, pregnancy status, genetic data, and other sensitive information. The dataset was subsequently shared much more widely online.
The dataset was discussed between two individuals on a Turkish Telegram channel, one of whom was a Turkish hacker known for selling data. While the data was thought to come from a hospital, it was traced to approximately 28 medical laboratories, most of which were located in northwest France. The dataset had been uploaded to a cloud server and had not been properly secured, allowing it to be accessed over the Internet by unauthorized individuals. The data related to medical testing conducted between 2015 and 2020. During that period, all of the affected laboratories were using software provided by Dedalus Biologie.
CNIL investigated Dedalus Biologie and the data breach to determine if there had been any violations of the GDPR. CNIL confirmed that under Article 4(8) of the GDPR, Dedalus Biologie was a data processor with respect to the data in question. Article 28(3) of the GDPR states that data processors are required to be governed by a contract or other legal act with the data controller that states the subject matter and duration of any data processing, the nature and purpose of processing, the types of personal data and categories for processing, and the obligations and rights of the data controller. Dedalus Biologie was found to have violated this requirement of the GDPR.
Two laboratories that used the services of Dedalus Biologie authorized the company to migrate data from one tool to another; however, the new tool extracted more data than was required, which meant data processing occurred outside of the instructions of the laboratories, which violated Article 29 of the GDPR. With respect to the data breach, CNIL identified many technical and organizational shortcomings related to its migration operations, including a lack of encryption on the problematic server, a lack of authentication for access to the public zone of the server, no automatic deletion of data after migration to other software, a lack of procedures for data migration operations, a lack of supervision procedures and security alert escalation on the server, and user accounts for the private zone of the server were shared by several employees.
The seriousness of the violations, the number of individuals affected, and the risks those individuals now face due to their personal data being in the hands of hackers and cybercriminals warranted a significant financial penalty. CNIL considered the turnover of the company when determining an appropriate penalty, which in the 2020 financial year was €30,000,000.