Leak of health data: the CNIL imposes a fine of 1.5 million euros on Dedalus

The CNIL announces that it has imposed a fine of 1.5 million euros on Dedalus Biologie for a major leak of health data. This concerned the data of nearly 500,000 people.

Big fine for Dedalus and its health data leak

“The amount of this fine was decided in view of the seriousness of the breaches identified but also taking into account the turnover of the company Dedalus Biologie”, noted the CNIL. The accessible data included surnames, first names, social security numbers, names of the prescribing doctor, dates of the examination but also (and above all) medical information (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data), informs the personal data constable. The leak had been revealed in February 2021.

Dedalus has been guilty of numerous technical and organizational shortcomings in terms of security in the context of migration operations from one software to another, indicated the CNIL. Among the breaches identified, the group cites in particular the lack of encryption of personal data on the problematic server and the lack of authentication required to access the public area of ​​the server from the Internet. The Commission also mentions the use of user accounts shared between several employees on the private zone of the server.

The data leak affected 28 laboratories in 6 departments in the Brittany, Center-Val de Loire and Normandy regions. The French army, including some members of the foreign intelligence services, had also been affected by this hack.

Following the revelation of the circulation of data, the Paris court ordered the French Internet service providers (Orange, SFR, Bouygues Telecom and Free) to block a site on which the data having leak. A judicial investigation had also been entrusted to the cybercrime section of the Paris prosecutor’s office.