The Cnil gives Francetest formal notice for lack of security of health data

The CNIL is attacking Francetest, a company transferring pharmacists’ data to the SI-DEP file, the file centralizing all test data created in March 2021. After receiving an anonymous report on August 27, 2021 reporting a security breach affecting the “francetest.fr” website, the Cnil decided to investigate. “Online checks conducted the same day made it possible to ascertain the effectiveness and extent of the data breach and, on September 9, 2021, a delegation carried out an on-site inspection mission at the company’s premises ( based in Strasbourg) with the aim of verifying the compliance of the processing of personal data implemented by the latter with the GDPR and the Data Protection Act.

In its court decision, the Cnil indicates that the representative of the company, Nathaniel Hayoun, specified that after having been alerted on August 27, 2021 by a journalist that personal data was freely accessible in the tree structure of the site of Francetest, he noted that the vulnerability was due to a misconfiguration of the web server. The flaw made it possible to access the content of the directory of the Z module “francetest” used to manage the various services of the company. In the directory of the site was accessible the source code of the service, which contained in particular the identifiers of connection to the patient database hosted on Y as well as extracts in CSV format from this database, that is to say in a format directly readable text.

700,000 vulnerable health data

These extracts included all the data provided by the people when carrying out a test, mentioned above. The presence of these files is explained by a malfunction of one of the site’s functionalities allowing pharmacists to export the data of their patients who have carried out tests. When Nathaniel Hayoun was alerted to the vulnerability, he indicated that he had shut down and restarted the web server of the “Francetest” service and fixed the vulnerability by making the folder inaccessible. He changed the connection password to the databases hosted at X and Y. He also added firewall rules to prevent connection to the database from servers other than those dedicated to the “Francetest” service. “.

However, these measures will not have been sufficient since, according to Mediapart, “more than 700,000 test results, and the personal data of patients, have been accessible for months in a few clicks due to flaws on the Francetest site”. . The exposed database was for 386,970 unique people and included their first and last name, email address, phone number, date of birth, test result (positive or negative) and social security number (NIR).

Still shortcomings

Francetest subsequently took several measures to remedy this vulnerability, but “the service still has several shortcomings in terms of data security. The health data is hosted by a service provider that does not have HDS (health data hosting) approval, the authentication processes are not robust enough, the encryption methods used are weak and the logging (recording of actions of people accessing the tool) of the activities of the servers is incomplete” estimates the Cnil.

In fact, the president of the Cnil, Marie-Laure Denis, has decided to put the company on notice to take all the necessary measures to guarantee the security of the health data it processes on behalf of hundreds of pharmacies. This will involve taking all measures to guarantee the security and confidentiality of the personal data processed and, in particular, those referred to in the appendix to this formal notice. In a second step, Francetest will have to justify to the CNIL that all of the aforementioned requests have been complied with, and this within the time limit. The company has two months to do what is necessary.