A vendor that provides software to medical analysis laboratories has been slapped with a €1.5 million ($1.58 million) financial penalty for violations of the EU’s General Data Protection Regulation (GDPR) after exposing the personal data of EU citizens over the Internet.
On 23 February 2021, the French news outlet ZATAZ reported that a dataset had been listed for sale on a darkweb site which was validated and found to have come from laboratories serviced by Dedalus Biologie. The dataset included the personal data of almost 492,000 individuals and included information such as full names, social security numbers, prescribing doctors’ names, examination dates, and medical information such as illnesses, genetic diseases, pregnancies, drug treatments, and genetic data. Further investigations confirmed that the information was stored in a database that had been exposed over the internet, and multiple copies of the data were obtained by unauthorized individuals.
The French data protection authority, Commission Nationale Informatique & Libertés (CNIL) conducted an investigation of the data breach to determine whether and to what extent the GDPR had been violated. CNIL determined that, as a provider of software to medical laboratories that facilitates the implementation of the processing of the personal data of EU citizens, Dedalus Biologie is classed as a data processor per Article 4(8) of the GDPR.
Article 28(3) of the GDPR requires all processing by data processors to be governed by a contract or other legal act, that is binding on the processor with regard to the controller and sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. However, the contracts between Dedalus Biologie and its customers did not meet that requirement.
Dedalus Biologie assisted two laboratories with migrations from one software tool to another; however, a larger volume of data than was required was extracted, which meant it was processed beyond the instructions provided by each of the two data controllers, in violation of Article 29 of the GDPR.
Dedalus Biologie was also determined to have violated Article 32 of the GDPR for failing to secure the personal data of EU citizens, specifically due to the lack of specific procedures for data migration operations, the lack of encryption of personal data on servers, the lack of automatic detection of data after migration to other software, a lack of authentication for access to the public area of the server, the use of user accounts that were shared by several employees on the private zone of the server, and the absence of supervision procedure and security alert escalation on the server.