France’s data protection authority fined a medical software firm Dedalus Biology after leaking numerous patient databases and sensitive details online, including full names, doctor information, medical information, social security number, examination data, genetic details, etc.
The data protection agency fined the medical software firm for violating three bills, including Article 29 of the GDPR act, Article 32 of the GDPR, and Article 32 of the GDPR. Dedalus Biology serves thousands of medical institutions in France and has exposed over 490,000 patient details from 28 laboratories, resulting in penalties.
The leaked sensitive databases have been spread all over the internet, exposing the details of the impacted patients and other individuals to social engineering, phishing, fraud, and blackmailing attacks. Experts first noticed the signs of the database leak back in March 2020, which forced ANSSI to issue a warning to one of the compromised labs in November of the same year.
Moreover, ZATAZ, a French magazine, also disclosed finding a valid dataset being sold on underground marketplaces.
The three GDPR acts that Dedalus Biology had violated led to a fine of 1.5 million euros or about 10% of the medical software firm’s annual revenue.
For Article 29 of the GDPR act, the firm failed to comply with the instructions of their client laboratories, including extracting more data than initially requested.
For Article 32, the medical software firm made numerous failures, including the lack of appropriate procedures for data migration, lack of personal data encryption stored on servers with existing technical issues, no automatic deletion of data after transferring to other software, etc.
For Article 28, the firm violated its duty to provide a formal/legal contract for the data processing on behalf of the client laboratories.
Furthermore, Dedalus Biology initially asked for a lighter penalty for their violations, adding that they are willing to cooperate with the data protection authorities in investigating the issue. However, since they still failed to implement damage control on the leaked data, the authorities refuse to alleviate their sanctions.
