Date of final decision: 15 April 2022
Cross-border case or national case: National case
Controller: DEDALUS BIOLOGIE
Legal Reference: Processing under the authority of the controller or processor (Article 29 GDPR), Security of processing (Article 32 GDPR), Processor (Article 28 GDPR)
Decision: Administrative fine
Key words: Health data breach
Summary of the Decision
Origin of the case
On February 23, 2021, a massive data breach regarding nearly 500,000 people was revealed in the press, involving the company Dedalus Biologie. The name, first name, social security number, name of the prescribing doctor, date of the examination, but also and above all medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people were thus released on the Internet.
The French Lead Supervisory Authority (LSA) carried out several onsite and online investigations, in particular concerning the company Dedalus Biologie, which sells software solutions for medical analysis laboratories. Based on the elements collected during the investigations, the restricted committee (the CNIL body in charge of issuing sanctions) identified three breaches. First, in the context of the migration of a software package to another tool, requested by two laboratories using the services of Dedalus Biologie, the latter extracted a larger volume of data than required. The company therefore processed data beyond the instructions given by the data controllers and had failed to comply with Article 29 GDPR. Second, the company had not ensured security of personal data within the meaning of Article 32 GDPR. Numerous technical and organisational breaches in terms of security were found against Dedalus Biologie in the context of the migration of the software to another: lack of a specific procedure for data migration operations; lack of encryption of personal data stored on the problematic server; no automatic deletion of data after migration to the other software; no authentication required from the Internet to access the public area of the server; use of user accounts shared by several employees on the private area of the server; lack of a procedure for monitoring and reporting security alerts on the server. This lack of satisfactory security measures was one of the data breach causes that compromised the medical and administrative data of almost 500,000 people. Finally, the LSA also established that the general conditions of sale proposed by the company Dedalus Biologie and the contracts of maintenance transmitted to the CNIL did not contain the mentions provided for in Article 28 (3) GDPR.
In light of the above, the French LSA considered that the company failed to comply with Articles 28, 29, and 32 GDPR. The LSA decided to impose on the controller an administrative fine of 1.5 million euros and make the decision public, which will no longer identify the company at the end of a period of two years following its publication.
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.