sanction of 1.5 million euros fine for Dedalus

The CNIL communicated the sanction to the publisher Dedalus, deemed responsible for the leak of medical data of nearly 500,000 people in 2021.

PublicitIn February 2021, a colossal leak of health data was observed. 500,000 people (including 1,700 soldiers) were affected. The nature of the data collected and disclosed (identity, test results, etc.) made it possible to quickly identify their origin, while the CNIL seized the Paris court in rfr, the latter ordering Internet access providers (Orange, SFR, Bouygues Telecom and Free) to block access to the site hosting the pirated data. A year later, at the end of the investigations, the CNIL sanctioned the publisher Dedalus Biologie after having found very serious shortcomings. And the sanction is the height of the gravity of the facts: 1.5 million euros fine.

The Dedalus group is one of the main publishers of solutions dedicated to the healthcare professions. Two years ago, it bought Agfa Healthcare, publisher of the Orbis suite for processing patient records in hospitals, a competing solution to its own suite, DxCare. In its range of products, the Dedalus group also has software intended for medical biology laboratories, some resulting from successive acquisitions. As of February 24, 2021, the CNIL carried out an inspection within Dedalus Biologie. Many shortcomings were thus detected in connection with a commonplace operation, namely the preparation of the migration of two customers from an obsolete Dedalus Biology solution (Megabus / Dxlab One) to a new solution from the same publisher (Kalisil). If the data controllers were indeed the two laboratories that ordered the migration, the CNIL only sought the responsibility of the subcontractor, Dedalus Biology, the only party to the breaches, in accordance with the rules of the GDPR.

Six serious breaches

The two laboratories had ordered an extraction of their data over a range of dates and only certain fields. However, the publisher has exported all of the data to respond to this order, therefore beyond the order from the data controller. This extraction was then stored on a poorly secured server accessible relatively easily via the Internet (FTP Megabus). However, an aggravating circumstance, in March 2020, a former employee of the company Dedalus Biology had informed his employer of the security risks in question. The CNIL notes, however, that the publisher showed reactivity once the crisis arose, with the order of a forensic analysis returned a month later and the provision of corrective measures to its procedures.

PublicitIn all, the CNIL identified six serious failings: lack of specific procedure for data migration operations; lack of encryption of personal data stored on the problem server; absence of automatic deletion of data after migration to the other software; absence of authentication required from the Internet to access the public zone of the server; use of user accounts shared between several employees on the private zone of the server; lack of a supervision procedure and security alert escalation on the server. To this were added the general conditions of sale, playing the role of contract with the customers, not including the provisions made compulsory by the RGPD.

–