Dedalus Biologie receives a fine of €1.5 million from the CNIL

In February 2021, a colossal leak of health data was observed. 500,000 people (including 1,700 soldiers) were affected. The nature of the data collected and disclosed (identity, test results, etc.) made it possible to quickly identify their origin, while the CNIL seized the Paris court for interim measures, which ordered Internet service providers (Orange, SFR , Bouygues Telecom and Free) to block access to the site hosting the hacked data. A year later, at the end of the investigations, the CNIL sanctioned the publisher Dedalus Biologie after having found very serious shortcomings. And the penalty is commensurate with the gravity of the facts: a fine of 1.5 million euros.

The Dedalus group is one of the main publishers of solutions dedicated to the health professions. Two years ago, it bought Agfa Healthcare, publisher of the Orbis suite for processing patient records in hospitals, a competing solution to its own suite, DxCare. In its product range, the Dedalus group also has software intended for medical biology laboratories, some resulting from successive acquisitions. As of February 24, 2021, the CNIL carried out an inspection within Dedalus Biologie. Many shortcomings were thus detected in connection with a commonplace operation, namely the preparation of the migration of two customers from an obsolete Dedalus Biology solution (Megabus / Dxlab One) to a new solution from the same publisher (Kalisil). If the data controllers were indeed the two laboratories that ordered the migration, the CNIL only sought the responsibility of the subcontractor, Dedalus Biologie, the only actor in the breaches, in accordance with the rules of the GDPR.

Six serious breaches

The two laboratories had ordered an extraction of their data over a range of dates and only certain fields. However, the editor has exported, to respond to this order, all of the data, therefore beyond the order of the data controller. This extraction was then stored on a poorly secured server accessible relatively easily via the Internet (FTP Megabus). However, an aggravating circumstance, as early as March 2020, a former employee of Dedalus Biologie had reported the security risks in question to his employer. The CNIL notes, however, that the publisher has shown responsiveness once the crisis has been confirmed, with the order of a forensic analysis submitted a month later and the provision of corrective measures to its procedures.

In all, the CNIL identified six serious shortcomings: “lack of specific procedure for data migration operations; lack of encryption of personal data stored on the problematic server; absence of automatic deletion of data after migration to the other software; lack of authentication required from the internet to access the public area of ​​the server; use of user accounts shared between several employees on the private zone of the server; absence of supervision procedure and security alert escalation on the server. To this were added general conditions of sale, playing the role of contract with customers, not including the provisions made compulsory by the RGPD.