French DPA investigates a massive health data leak: Practical implications for businesses
Locations
At the end of February, the French DPA ("CNIL") was informed by the press of a massive security breach, involving health data of about 500 000 patients. While all the details of this security incident are yet to be fully investigated by the CNIL, this article informs you of the latest information regarding this data breach and explains what practical steps you can take to avoid (or at least mitigate) the risks of security incidents from a data protection law perspective.
1. Why is this health data leak particularly serious?
The CNIL was made aware by the press of a serious data breach involving the health data of approximately 500 000 patients. It appears that the file that contained the patients' data had circulated freely on at least one forum referenced by search engines.
In particular, the press announced that the following personal data had been leaked:
The CNIL was made aware by the press of a serious data breach involving the health data of approximately 500 000 patients. It appears that the file that contained the patients' data had circulated freely on at least one forum referenced by search engines.
In particular, the press announced that the following personal data had been leaked:
- Patients' names and their contact details (postal address, telephone, e-mail),
- Patients' social security numbers (SSN), which the CNIL considers to be "highly personal data".
- Health data: such as blood group, the doctor treating the patient, comments about the patient's health condition (including possible pregnancy), drug treatments or pathologies (in particular HIV).
The data controllers involved in this leak are medical analysis laboratories, although the CNIL has not publicly disclosed the identity of these companies. According to the preliminary findings, this breach appears to be "of a particularly large and serious scale".
Following a referral from the CNIL, the Paris Court of Justice has asked Internet Service Providers (ISPs) to block access to a site hosting the file at issue last Thursday. The CNIL, which has already carried out three checks on this data leakage, is continuing its investigation.
2. What actions should data controllers take in such a situation?
The GDPR requires data controllers to notify the competent data protection authority within 72 hours of becoming aware of a personal data breach. In addition, to the extent that the breach is also likely to create a 'high risk' to the data subjects' rights and freedoms, the controller(s) must also inform those data subjects about the breach.
Based on the press releases, the likeliness of the high sensitivity of the health data in question and the fact that they have been made publicly available on the Internet in a significant quantity, implies that this data breach most probably required a double notification to the CNIL and the data subjects.
At the time when the CNIL first commented publicly on this information (24th February), it confirmed that it had not received any notification from the data controllers. This week, the CNIL published a second statement on its website, confirming that it has now been duly notified of the breach, and that the data subjects will soon be notified.
It is still unclear whether the controllers notified the CNIL within the 72 hours' strict deadline. However, regarding the patients involved in this security incident, the CNIL has clarified that it will ensure that the controllers notify them "as quickly as possible".
3. Is the health sector at risk of being investigated by the CNIL?
In the context of the Covid-19 health crisis and taking into account the increasing number of cyber-attacks that have targeted health institutions, companies must be aware of the heightened risk of security breaches.
Whether or not the CNIL chooses to carry out a formal investigation procedures depends on a number of factors. The failure to notify data security breaches increases the risk of enforcement actions from the CNIL. By way of illustration, last December two doctors were fined by the CNIL (respectively 3 000 and 6 000 €) for failure to (i) implement sufficient security measures, leading to thousands of images being displayed on the Internet, and to (ii) notify this health data breach to the CNIL.
The CNIL has also just announced that the security of health data is a top priority of its enforcement strategy for 2021. On this basis, it is reasonable to expect that the CNIL will continue monitoring this sector and it may carry out further inspections in the health sector.
4. How can companies mitigate the risks of enforcement?
There are a number of actions that companies can take to mitigate the risk of enforcement measures by the DPAs, namely:
Implement appropriate security measures: Companies must implement and document their security measures to comply with the accountability principle under the GDPR. These security measures must be appropriate to the risks inherent to the processing activities. In addition, it is important to pay attention to measures that may be imposed by Member State laws (read more about this in our previous article on scientific research in the context of Covid-19 in France here).
Carry out regular checks/audits on your existing measures: Indeed, it is not sufficient to simply implement security measures. Companies must also make sure that they are correctly applied within their organisation and that they remain appropriate to the risks over time. In addition to verifying compliance, control measures should be in place to help raise the level of security of personal health data. It's worth highlighting that two thirds of the sanctions pronounced by the CNIL relate to breaches of data security obligations.
Notify your data breaches to the CNIL and/ or the individuals concerned (as appropriate): As stated above, in some cases, the GDPR requires the controller to notify the CNIL and/or individuals. Always make sure to document your assessments in this respect and to comply with all GDPR notification rules.
Avoid drawing any attention on your business by responding to data subjects' data protection requests (access rights, etc.) in a timely manner. This will reduce the risk of complaints from patients to the supervisory authority, and consequently help you stay off the CNIL's radar…
Following a referral from the CNIL, the Paris Court of Justice has asked Internet Service Providers (ISPs) to block access to a site hosting the file at issue last Thursday. The CNIL, which has already carried out three checks on this data leakage, is continuing its investigation.
2. What actions should data controllers take in such a situation?
The GDPR requires data controllers to notify the competent data protection authority within 72 hours of becoming aware of a personal data breach. In addition, to the extent that the breach is also likely to create a 'high risk' to the data subjects' rights and freedoms, the controller(s) must also inform those data subjects about the breach.
Based on the press releases, the likeliness of the high sensitivity of the health data in question and the fact that they have been made publicly available on the Internet in a significant quantity, implies that this data breach most probably required a double notification to the CNIL and the data subjects.
At the time when the CNIL first commented publicly on this information (24th February), it confirmed that it had not received any notification from the data controllers. This week, the CNIL published a second statement on its website, confirming that it has now been duly notified of the breach, and that the data subjects will soon be notified.
It is still unclear whether the controllers notified the CNIL within the 72 hours' strict deadline. However, regarding the patients involved in this security incident, the CNIL has clarified that it will ensure that the controllers notify them "as quickly as possible".
3. Is the health sector at risk of being investigated by the CNIL?
In the context of the Covid-19 health crisis and taking into account the increasing number of cyber-attacks that have targeted health institutions, companies must be aware of the heightened risk of security breaches.
Whether or not the CNIL chooses to carry out a formal investigation procedures depends on a number of factors. The failure to notify data security breaches increases the risk of enforcement actions from the CNIL. By way of illustration, last December two doctors were fined by the CNIL (respectively 3 000 and 6 000 €) for failure to (i) implement sufficient security measures, leading to thousands of images being displayed on the Internet, and to (ii) notify this health data breach to the CNIL.
The CNIL has also just announced that the security of health data is a top priority of its enforcement strategy for 2021. On this basis, it is reasonable to expect that the CNIL will continue monitoring this sector and it may carry out further inspections in the health sector.
4. How can companies mitigate the risks of enforcement?
There are a number of actions that companies can take to mitigate the risk of enforcement measures by the DPAs, namely:
Implement appropriate security measures: Companies must implement and document their security measures to comply with the accountability principle under the GDPR. These security measures must be appropriate to the risks inherent to the processing activities. In addition, it is important to pay attention to measures that may be imposed by Member State laws (read more about this in our previous article on scientific research in the context of Covid-19 in France here).
Carry out regular checks/audits on your existing measures: Indeed, it is not sufficient to simply implement security measures. Companies must also make sure that they are correctly applied within their organisation and that they remain appropriate to the risks over time. In addition to verifying compliance, control measures should be in place to help raise the level of security of personal health data. It's worth highlighting that two thirds of the sanctions pronounced by the CNIL relate to breaches of data security obligations.
Notify your data breaches to the CNIL and/ or the individuals concerned (as appropriate): As stated above, in some cases, the GDPR requires the controller to notify the CNIL and/or individuals. Always make sure to document your assessments in this respect and to comply with all GDPR notification rules.
Avoid drawing any attention on your business by responding to data subjects' data protection requests (access rights, etc.) in a timely manner. This will reduce the risk of complaints from patients to the supervisory authority, and consequently help you stay off the CNIL's radar…