€1.5 Million GDPR Fine for French Laboratory Software Supplier

Commission Nationale Informatique & Libertés (CNIL), th French data protection authority, has ruled that, Dedalus Biologie, a laboratory software solutions supplier, acted in breach of articles 28(3), 29, and 32 of the General Data Protection Regulation (GDPR) and has been sanctioned with a €1.5m fine to settle the violation.

The Dedalus Biologie group supplies provides software solutions to medical analysis laboratories located in France. In February 2021, the French periodical ZATAZ and other media groups revealed that a dataset that incorporated the personal and health information of almost 500,000 French citizens had been published online on hacking threads. The file, which included 491,840 lines of data, listed up to 60 pieces of information on people such as their identities, residential details, contact numbers, family doctor names, social security information, appointment times, blood details, medical histories, treatments administered, pregnancy history, genetic data, and other sensitive data. The dataset was then published and made widely available online.

Two individuals discussed the dataset on a Turkish Telegram channel, one of whom was a Turkish hacker known for selling data online. While the data is believed to have originated in a hospital, it was tracked to around 28 different medical laboratories, most of them are in northwest France. The dataset had been transferred to a cloud server and had not been properly encrypted, allowing it to be viewed over the Internet by unauthorized people. The data was connected to laboratory testing completed from  2015-2020. During that period of time, all of the impacted laboratories were deploying software supplied by Dedalus Biologie.

CNIL carried out a thorough investigation of Dedalus Biologie and the data breach to see if it could be determined whether any violations of the GDPR had taken place. CNIL found that under Article 4(8) of the GDPR, Dedalus Biologie was acting as a data processor in relation to the data in question. Article 28(3) of the GDPR states that data processors must be governed by a contract or other legislative act with the data controller that states the subject matter and length of time of any data processing, the manner and aim of processing, the range of personal data and categories for processing, and the obligations and rights of the data controller. Dedalus Biologie was ruled to have breached this legal obligation of the GDPR.

Two laboratories that employed the services of Dedalus Biologie permitted the group to transfer data from one tool to another; however, the new tool downloaded more data than was necessary, which meant data processing occurred outside of the instructions of the laboratories, which breached Article 29 of the GDPR. In relation to the data breach, CNIL found many technical and organizational failings linked to its migration operations, including an absence of encryption on the problematic server, a lack of authentication for access to the public zone of the server, no automatic deletion of data after transfer to other software, no procedures for data migration operations, no supervision tasks and security alert escalation on the server, and user accounts for the private zone of the server were shared by more than one employee.

The severity of the breaches, the amount of individuals impacted, and the danger those individuals now face due to their personal data being accessibly by hackers and cybercriminals warranted a major GDPR fine.