Leakage of health data: what impacts and what measures should be taken?

Since February 14, 2021, a computer file containing the personal data of 500,000 patients has been circulating on the Internet from some thirty medical biology laboratories, most of them located in the northwestern quarter of France. This file would include data such as postal address, telephone number, email, social security number, but also so-called sensitive medical data (attending physician, health insurance, pathology, seropositivity, pregnancy, etc.).

While the cybercrime section of the Paris Public Prosecutor’s Office opened an investigation on February 24, 2021, in order to find those responsible for this data theft, the National Commission for Information Technology and Liberties (CNIL) was, on the same day, charged with controlling this leak in order to “officially note the availability of the file” and determine whether there were any breaches on the part of the laboratories concerned and/or the publisher of the computer software used by these laboratories.

The potential of this disclosed file is all the more incommensurable for the cyber criminal: the data could be used to carry out targeted phishing campaigns (phishing) or lead to a risk of identity theft and trafficking in false vital cards, thanks to the social security number contained in the file.

Since 2019, when the RGPD came into application in France, every organization and company collecting, storing, using personal data (such as a person’s name, surname, postal address or IP address) must comply with European regulation by processing data lawfully.

These data controllers are also required to “ensure the security of the data they process by means proportionate to the risks, especially for sensitive data such as health data ».

Thus, laboratories appear to be in the front line in ensuring such compliance because they are responsible for the processing and protection of their patients’ data, and the responsibility of physicians does not appear to have been called into question.

In such a situation, this includes a high risk to the rights and freedoms of data subjects. A companyvictim of data theft must not only notify the incident to the CNIL within 72 hours, but also inform the data subjects individually. The ongoing investigation will determine whether or not these obligations have been met.

This security obligation has existed in French law for more than 40 years, but has been reinforced since the entry into force of the RGPD with the creation of new tools such as breach notification, data protection impact analysis or codes of conduct to be developed.

What about data encryption ? Encryption makes it impossible for someone who does not have the decryption key to read data. It is a computer security procedure that makes it possible, in case of intrusion or theft of data, to prevent it from being read, used or sold. This guarantee of protection is recommended and even mandatory in some cases.

Our UGGC law firm and its team of lawyers specialized in data law are at your disposal to assist you in your audit & DPM compliance.

By the IP/IT team of UGGC Law Firm

Source : CNIL / Libération