Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



France’s CNIL fines Cegedim Santé EURO 800.000: A stark warning on the risks involved in processing health data

PrintMailRate-it

​​​​​​​​​​​​​​published on 25 September 2024 | reading time approx. 8 minutes


In the healthcare sector, the handling of sensitive patient information remains a critical concern. With the rise of digital health solutions and the growing reliance on data analytics, the challenge of ensuring compliance with strict regulations such as the GDPR has become increasingly urgent.

This heightened focus on data privacy was recently exemplified by the case of CEGEDIM SANTÉ, which was fined 800,000 EURO by the CNIL on September 5, 2024, for unauthorized processing of non-anonymous health data.

CEGEDIM SANTÉ develops and sells management software for general practitioners, serving approximately 25,000 medical practices and 500 health centers, enabling them to manage appointments, patient records, and prescriptions. 

The company invited selected doctors to join an observatory to collect data from patient files in the form of encrypted identifiers, to be processed for health studies conducted by its clients and partners. In return, these selected doctors could benefit from discounts on software licenses and access to valuable statistical insights. 

However, inspections by the CNIL in 2021 revealed that, within the framework of this initiative, non-anonymous health data have been processed without authorization, ultimately leading to this sanction. 

This decision offers an opportunity to revisit key concepts in European and French regulations, such as data anonymization and pseudonymization, health data warehouses, and data controllers and processors. It demonstrates that mis-qualification of these terms can result in high level risks and serious breaches of personal data regulations, which carry significant penalties.

Pseudonymous instead of anonymous data 

The processing of personal health data is one of the riskiest legal areas in the field of privacy, and therefore the most closely monitored by the authorities. They require exceptional measures, such as a PIA (privacy impact assessment), a specific, very high-level security and, ideally, data anonymization or pseudonymization.

This qualification issue is at the heart of the decision: if the data collected by CEGEDIM SANTÉ is not anonymous, then it constitutes personal health data and GDPR strict regulations apply. In this respect, processing of such highly sensitive data must either comply with standard CNIL reference document (and be notified to the authority) or must be authorized by the CNIL.

In its decision, the CNIL first recalled that pseudonymization retains the possibility of re-identifying individuals by reasonable means through additional information, while anonymization eliminates any possibility of re-identification. 

The CNIL also specified, in accordance with guidance from the European Data Protection Board (EDPB), that a process can only be considered anonymized if it can withstand three key risks:
  1. Individualization: it should not be possible to isolate an individual within the dataset; 
  2. Correlation: the data must not allow linking different records to the same individual;
  3. (Inference: there should be no ability to deduce or infer sensitive personal details from the available data.

The CNIL noted that, in CEGEDIM SANTE’s system:
  • a very significant amount of data was collected on patients (including their year of birth, gender, socio-professional category, allergies, medical history, height, weight, diagnosis, medical prescriptions, sick leaves, test results) through the software used by their doctors, and also from the health insurance “Hri” teleservice;
  • this data was linked to a unique identifier for each patient of the same doctor, allowing successive transmissions from the same doctor to be combined and effectively reconstructing the patient’s healthcare pathway - the rapporteur in this case was indeed able to trace the journey of a 12-year-old child with a long-term illness using an excerpt from the dataset provided during the investigations!

In light of these elements, the CNIL determined that it was possible to isolate a patient within the company's database and that the company possesses a wealth of particularly rich information about them, which poses a risk of re-identification.

Given (i) the existence of the unique identifier, (ii) the depth of the data collected by the company and (iii) the possibility of combining this data with third-party information, the CNIL found that the risk of identifying individuals was too high for the data processed to be considered anonymous and classified the data processed by CEGEDIM SANTÉ as pseudonymous rather than anonymous.

Health data warehouse rather than a network of doctors

To avoid the stringent legal regime associated with health data warehouses regarded as permanent database — typically linked to the status of a data controller and the implementation of appropriate security measures to protect enduring data — CEGEDIM SANTÉ argued that it operates merely as a network of doctors who agree to transmit anonymized data from their medical records to CEGEDIM SANTÉ's partners. In this regard, CEGEDIM SANTÉ contended that the transient nature of the data flow, with data retained for only three months, demonstrates that it does not constitute a permanent database like a health data warehouse.

However, the CNIL, while reiterating that a health data warehouse is a doctrinal construct assessed through a set of indicators, clarified that the temporary nature of data storage on CEGEDIM's servers is insufficient when considered alongside the following three criteria:
  • a large-scale collection of health data;
  • an ongoing updating of its database;
  • the provision of this data for reuse.

Consequently, the CNIL concluded that the company constituted a health data warehouse at the time of its inspection.

Data controller instead of data processor

CEGEDIM SANTÉ believed it could qualify as a data processor for both the doctors using its software and the companies producing studies and statistics, arguing that its role was limited to a technical intermediary, merely transmitting data from the doctors' systems to its partners, without determining the purposes for which the data was used.

However, the CNIL found that CEGEDIM SANTÉ, in its contracts with partners, actually defined:
  • the purposes of data processing for its observatory (i.e. conducting studies and commercializing the data as statistics, while excluding any other forms of commercialization);
  • the means of processing in its contracts with panel doctors (i.e. setting conditions for network participation, methods of data transmission, and the frequency of data collection).

The CNIL further clarified that the transmission of data to third-party partners, who will reuse the data for their own purposes (thus acting as independent data controllers), does not prevent CEGEDIM SANTÉ from being classified as a data controller, and as such, from complying with the following data protection regulations. 

Sanctioned breaches

The abovementioned qualifications have significant implications, as evidenced by the first breach identified by the CNIL against CEGDIM SANTÉ. 

Since the company did not consider itself to be processing personal data:
  • it implemented no mechanism to obtain explicit and prior consent from the patients of the participating doctors for the processing in question; 
  • the company did not submit a declaration of compliance with one of its frame of reference to the CNIL;
  • In the absence of reference framework, the company did not request CNIL authorization to assess whether the processing was necessary for reasons of public interest in the field of public health or for scientific research.

Consequently, the CNIL determined that the company failed to fulfill its obligations by processing personal data in the health sector, in violation of Article 66 of the French Data Protection Act.

Additionally, the CNIL found that CEGEDIM had breached Article 5.1.a of the GDPR (requirement of lawful, fair and transparent processing) concerning its use of the health insurance “Hri” teleservice, which provides access to the history of health reimbursements made by the health insurance for a patient over the last twelve months. 

The CNIL noted that when a doctor in the "observatory" accessed data from the teleservice, it was automatically downloaded into the patient's file, thereby enabling the company to collect the data concurrently. As a result, the CNIL considered that, by not providing for the possibility of data simply being consulted by doctors without leading to an automatic collection, the company had not processed the data lawfully.

In light of these breaches, the CNIL imposed a fine of 800,000 EURO on CEGEDIM SANTÉ, considering the company's financial capacity, the seriousness of the breaches, the massive nature of the processing and sensitive nature of the health data involved. 

This decision highlights the critical need for healthcare stakeholders to exercise extreme caution when implementing software solutions or other tools and drafting their related contracts. The correct qualification of processed data (whether anonymized or pseudonymized) determines the applicability of GDPR, and the designation of the involved legal entities as either data controllers or processors (a classification that is often complex) defines their responsibilities and obligations.

The companies concerned should also bear in mind that, when it comes to personal health data, anonymization is extremely difficult to guarantee. Attempts at anonymization are frequently reclassified as pseudonymization, given the risk of re-identification through cross-referencing of data, and thus fall within the extremely strict regime for the protection of highly sensitive data such as health data, with which companies must comply.

It is advisable to seek assistance in setting up a health data-based solution or, more generally, when concluding clinical partnerships and IT contracts.

If you are having difficulties establishing these qualifications, or if your sensitive negotiations and agreements in relation to health care projects, have not yet been finalized, do not hesitate to contact us.

 DATA PROTECTION BITES

author

Contact Person Picture

Frédéric Bourguet

Avocat

Associate Partner

+33 1 8621 9274

Invia richiesta

Contact Person Picture

Raphaëlle Donnet

Avocate

Associate

+33 1 7935 2542

Invia richiesta

 RÖDL & PARTNER FRANCE

​Discover more about our offices in France. Read more »
Deutschland Weltweit Search Menu