Health data leaks – the French company Dedalus Biologie fined 1,5M euros

In this context, a massive data breach regarding nearly 500,000 people was revealed publicly on 23rd February 2021, involving the French company DEDALUS BIOLOGIE, which sells software solutions for the management of medical analysis laboratories. 

The company supplies operating licenses to its clients (laboratories), but also provides installation, start-up and support services in using its software. A maintenance agreement is also generally concluded to ensure the updating of the solutions, which includes new functionalities and allows the solutions to be kept in conformity with the standards in force.

Many personal data, in particular health data, have been stolen from DEDALUS BIOLOGIE’s clients and have been disclosed publicly, first on pirate websites. They include among others the name, first name, social security number, name of the prescribing doctor, date of the examination, etc. But, above all: medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people were thus released on the Internet.

It should be recalled that health data are considered as extremely sensitive data by the GDPR and must therefore be particularly protected. Their processing is, by default, prohibited, unless specific obligations or interests are justified and rigorous reinforced protection measures are taken.

The CNIL carried out several investigations regarding this company.

At the same time, on 1 March 2021, the CNIL referred the matter to the Paris judicial court, in the form of urgent summary proceedings. As a result, in a court decision of 4 March, the access to the website on which the leaked data was published, was blocked. Thanks to this decision initiated by the public authority, the consequences for the individuals concerned have been limited.

First of all, the CNIL considered that DEDALUS BIOLOGIE acted as a data processor, insofar as it provides the laboratories with software tools enabling them to carry out their processing and, in general, acts solely on the basis of their instructions. This qualification has not been challenged by the company.

Based on the elements collected during the investigations, the CNIL considered that the company didn't fulfil several obligations provided for by the GDPR, in particular the obligation to ensure security of personal data.

As a result, the CNIL imposed a fine of 1.5 million euros and additionally decided to make its decision public. The amount of the fine was decided in view of the severity of the breaches observed but also in consideration of the company’s turnover.

As a reminder, at this stage it is a simple administrative fine. For their part, the people affected by these leaks can initiate liability proceedings to claim damages. And one can easily imagine that, as it concerns health data, qualified as "sensitive" by the GDPR and particularly protected, the question of prejudice really arises

Let's look in more detail at the breaches identified by the CNIL, which has extended its controls beyond the above-mentioned flaws. These details should be very useful to any data processor and controller, in order to improve their relation with respect to data protection.

In the context of the migration of a software package to another tool, requested by two laboratories using the services of DEDALUS BIOLOGIE, the latter extracted a larger volume of data than required by the laboratories.

The company therefore processed data beyond the instructions given by the data controllers (its clients).

Numerous technical and organizational breaches in terms of security were found against DEDALUS BIOLOGIE in the context of the migration of the software to another:

This lack of satisfactory security measures was one of the data breach causes that compromised the medical and administrative data of almost 500,000 people.

Further, the CNIL notes that DEDALUS and certain laboratories had already been the subject of alerts in the past, with respect to the unsatisfactory level of security. These alerts should have led DEDALUS to investigate and correct its data security level before the breach of February 2021.

Data processing agreements are very often badly drafted, or in general very incomplete.

In particular, Article 28 of the GDPR provides that the contract between the controller and the processor must contain a certain number of compulsory mentions, expressly and visually reminding the latter of his essential obligations in this area, so that he would be in bad faith to claim that he was not aware of them. Unfortunately, many data processing agreements, drafted by non-specialists, do not contain these mandatory mentions.

In this case, the CNIL analyzed the contractual framework of the data processing carried out via the licensed software. It found that the general terms of sale proposed by the company DEDALUS BIOLOGIE and the contracts of maintenance transmitted to the CNIL did not contain the mentions provided for in article 28-3 of the GDPR.

As a subcontractor, DEDALUS BIOLOGIE tried to release itself from this responsibility on its laboratory customers, who are responsible for the processing. The CNIL recalled that the responsibility for the conformity of the subcontracting contract lies with both parties, each having its own share of responsibility. In this case, as the contractual documents were provided by DEDALUS BIOLOGIE, as the service provider, the faulty legal framework had its origin in these documents.

This landmark decision by the French data protection authority should remind companies, and in particular those that manage sensitive data, of the importance of preparing, negotiating and handling their data processing agreements seriously, in order to ensure as far upstream as possible the guarantees and security provided by their subcontractor, including detailed technical exhibits to these agreements. It is up to them to force subcontractors to improve their level of compliance... which is not always easy.

Otherwise, the risk of data leakage or complaints will not be covered or will be poorly covered and may lead to condemnations, first administrative, then judicial.

This case is unfortunately a painful reminder of the need to ensure the required level of security for one's business and products, particularly for sensitive activities and especially in the face of cybercrime.