Medical software firm fined €1.5M for leaking data of 490k patients

The French data protection authority (CNIL) fined medical software vendor Dedalus Biology with EUR 1.5 million for violating three articles of the GDPR (General Data Protection Regulation).

Dedalus Biology provides services to thousands of medical laboratories in the country and the fine is for exposing sensitive details of of 491,939 patients from 28 laboratories.

The database leaked online and revealed the following patient details:

• Full name
• Social security number
• Name of prescribing doctor
• Date of examination
• Medical information such as HIV status, cancer, genetic diseases, pregnancies, treatments, etc.
• Genetic information (in some cases)

This information has been widely shared on the internet, so Dedalus Biology clients are running the risk of getting social-engineered, phished, scammed, and even blackmailed.

The first signs of the database leak appeared as far back as March 2020, with ANSSI issuing a related alert to one of the exposed labs in November 2020.

In February 2021, the French magazine ZATAZ located a sale of the particular dataset on the dark web and confirmed that the information was valid.

Sanction details

Dedalus Biology violated article 29 of the GDPR act, which is failure to comply with the controller's instructions. More specifically, during migration from the software of a different vendor, at the request of two medical laboratories, Dedalus extracted more information than required.

The second violation concerns article 32 of the GDPR, which makes the data processors liable for failure to secure the information. CNIL's investigation found the following associated failures:

• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• lack of authentication required from the Internet to access the public area of the server;
• use of user accounts shared between several employees on the private zone of the server;
• absence of supervision procedure and security alert escalation on the server.

The third GDPR article breached is number 28, which covers the obligation to provide a formal contract or legal act for the data processing on behalf of the controllers (laboratories).

For the above violations, the CNIL decided to impose a penalty of 1.5 million Euros ($1.58 million), calculated as 10% of the company's annual revenue.

Although Dedalus hoped to receive a more lenient penalty based on its willingness to collaborate with CNIL's investigators, the data protection office noted that the firm took no steps to limit the dissemination of the leaked data online, so there was no basis for recognizing alleviating factors.

BleepingComputer has contacted Dedalus Biology for a comment on CNIL's decision but we haven't heard from the company at the time this article was published.

A similar case

Meanwhile, the CNIL is currently investigating another case that exposed the sensitive medical insurance information of 510,000 French, reported by insurance provider L'Assurance Maladie.

According to the details made public by the firm, 19 doctors using its online information portal fell victims to a phishing campaign, essentially giving hackers access to sensitive patient information.

As a result of this breach, full names, dates of birth, sex, social security number, and data relating to insurance rights have been compromised.