Dedalus Biology, the French medical software company was recently fined by CNIL, France’s data protection authority.

The vendor must pay a total of €1.5m (£1.27m) after it was found to have violated three different articles of Europe’s General Data Protection Regulation (GDPR). The incident resulted in personal data belonging to over 490,000 patients being disclosed.

A devastating data breach

Enterprises both here in the UK and elsewhere in Europe are obliged to take appropriate measures to safeguard the personal information of data subjects, whether it is being handled or stored on file. Companies operating in the healthcare sector must often handle sensitive information on subjects, usually including detailed data on patients and their conditions.

Dedalus Biology currently provides dedicated services for thousands of French medical laboratories, and the significant fine was issued for exposing sensitive patient details of 491,939 different patients from a total of 28 laboratories based across the country.

The incident involved a database being leaked online. As a result, private and confidential patient details were disclosed. Examples of the personally identifiable information (PII) involved included full names, social security numbers, the names of prescribing doctors, dates of examinations, sensitive medical information like HIV status, genetic diseases, cancer, pregnancies and treatments, as well as some genetic data.

The sensitive information disclosed has now been shared widely online, so clients have been put at severe risk of being scammed, phished, social-engineered and potentially even blackmailed.

Articles violated

The first indications of the database leak in France surfaced as early as March 2020, when ANSSI issued a related alert to an exposed lab.

Later in February 2021, a French magazine called ZATAZ tracked down the sale of a particular dataset involved in a dark web transaction, and then confirmed that the stolen data was valid.

The French software vendor has come under fire for specific violations. Dedalus Biology was found to have broken the GDPR act’s article 29 involving a failure to comply with instructions given by the controller. Specifically, Dedalus Biology failed to follow steps required during migration from the dedicated software of another vendor, as requested by two medical laboratories. In both cases, the medical software firm extracted more data than was necessary for the operation to be carried out.

The company’s second violation was regarding the GDPR act’s article 32, which states that the data processor is liable for any failure to secure the data involved. An investigation by CNIL found several associated failures.

These included a lack of specific procedures for data migration, a lack of encryption for personal data stored on a problematic server, the absence of any automatic deletion of information after migration to other software, and a lack of authentication processes required by the internet to access a server’s public area.

Finally, GDPR article 28 was also breached. This covers the data handler’s obligation to always provide a legal act or formal contract for data processing conducted on behalf of the data controllers, which in this case were the laboratories.