Breach of patient health data security: healthcare professionals and subcontractors, all concerned!

By Nathalie Boudet-Gizardin, counsel and Camille Faour, collaborator.

The National Commission for Computing and Liberties (CNIL) recently reminded healthcare players of the imperative need to ensure the security of the health data of their patients that they collect and process.

This obligation is imposed on health actors under the terms of article 32 of the General Data Protection Regulation (GDPR) which entered into force on May 25, 2018 and transposed into French law by the law of June 20, 2018^[1].

Responsible for ensuring the protection of patient health data, the CNIL is thus extremely vigilant regarding compliance with it by doctors and pharmacists, but also by their subcontractors.

As such, the Supervisory Authority does not hesitate to sanction any breach in this area, as evidenced by several recent decisions published exceptionally on Legifrance, given the importance of their scope.

• Two radiologists sentenced for failing to protect their patients' health data

On December 7, 2020, two radiologists were respectively sentenced by the CNIL to administrative fines of €3.000 and €6.000 for not having sufficiently protected the personal data of their patients and not having notified a breach of this data to the CNIL.^[2].

Indeed, in two cases of the same day, published on légifrance, the CNIL noted, following an "online" check carried out in September 2019, that thousands of medical images (MRIs, x-rays, scanners, etc. …) hosted on computer servers belonging to the two radiologists were freely accessible on the internet^[3].

These images, which contained in particular the surnames, first names, dates of birth and dates of consultations of the patients, were not protected by encryption or encryption and had been accessible online for 4 months in the first case, and 5 years in the second case. .

At the end of their hearing before the restricted CNIL panel, the practitioners admitted to having made several configuration errors on their internet box and on their medical imaging software when they wanted to access the files remotely.

The CNIL therefore sanctioned the two radiologists on the dual basis of Articles 32 and 33 of the GDPR.

• Regarding the violation of article 32 of the GDPR, the CNIL highlighted a breach of patient data security by radiologists. In particular, it specified that they should have ensured that the configuration of their computer networks did not lead to the data being freely accessible on the Internet and should have systematically encrypted the personal data hosted on their servers. She added that these basic IT security requirements are the responsibility of any data controller. Indeed, remember that doctors are all responsible for the processing of their patients' data. As such, they must put in place appropriate technical measures to guarantee the protection of this data.

• On the basis of Article 33 of the GDPR, the CNIL also found that the radiologists had failed in their obligation to notify it of the data breaches that they had personally observed. As soon as healthcare professionals become aware of a breach of their data, they have an obligation to alert the CNIL within 72 hours of this finding.

If the CNIL did not reveal the identity of the two liberal doctors, it did however want to draw the attention of health professionals to the need to reinforce their vigilance on the security measures to be taken with the personal data they process. , in particular by choosing the most secure applications and by surrounding yourself with competent service providers in this area^[4].

• FRANCETEST Company, subcontractor for pharmacists, formal notice for failure to protect health data

More topical than ever given the current health crisis, FRANCETEST has been given formal notice, by a CNIL decision of October 4, 2021, also published on légifrance, to guarantee the security and confidentiality of health data. that it collects on behalf of hundreds of pharmacies during COVID-19 screening tests^[5].

Created during the COVID-19 epidemic to act as an intermediary between pharmacists and patients, FRANCETEST operates a platform used by pharmacists to collect personal data from their patients performing antigenic tests.

In practice, patients wishing to do an antigen test access an online space by scanning, with their mobile phone, a QR code (quick response code) and fill out a form hosted on the francetest.fr website where they enter their name. , first name, date of birth, postal address, email, telephone number, social security number or even the date of appearance of the first symptoms.

After carrying out an antigenic test, the pharmacist must enter the result of the examination in his online interface on the FRANCETEST platform and validate its transmission to the SI-DEP platform (DEPistage Information System)^[6]. Once the transmission has been carried out, FRANCETEST then sends an email to the patient informing him of the result of his test.^[7].

Informed on August 27, 2021 by an anonymous report, of the existence of a security breach affecting the data used on the francetest.fr website, the CNIL conducted an investigation into the circumstances of this breach and verified the existence measures taken to ensure their safety.

In this case, a fault in the configuration of the web server allowed access to the content of the directory of the francetest.fr site, including in particular the source code of the service and the connection identifiers giving access to the patient database. Some extracts including all the form data filled in by patients when carrying out a test were readable^[8] [9].

If the Supervisory Authority indicated that FRANCETEST had taken several measures to correct the defect at the origin of the data breach, it found on the other hand that the company's service still suffered from several shortcomings in terms of health security. , which did not ensure the confidentiality of the data processed.

The CNIL noted in particular that:

• Health data was not hosted, in accordance with article L. 1111-8 of the Public Health Code^[10], at a service provider with HDS (health data hosting) approval issued by the Ministry of Health;

• Authentication processes were not robust enough;

• The cryptological or ciphering processes used were weak.

Under the terms of this formal notice, the CNIL recalled that pharmacists remain solely responsible for processing and that the tests are carried out under their responsibility "including the operational implementation involving, in addition to the test itself, the collection of patient data and their transmission to the SIDEP platform”^[11].

In addition, the Supervisory Authority qualified FRANCETEST as a processor within the meaning of Article 4, 8) of the GDPR^[12] and indicated that, like the pharmacist, data controller, the subcontractor is also required to ensure the security of health data in accordance with Article 32 of the GDPR, which constitutes a reinforced obligation in the presence of health data (recital 75 of the GDPR)^[13].

Dance what contexts, the CNIL approached more than 300 pharmacies using the FRANCETEST platform to check their GDPR compliance system.

It has also made contact with the National Council of the Order of Pharmacists (CNOP), to raise awareness in the profession about the processing of personal data that it implements.^[14].

It follows from the aforementioned decisions rendered by the CNIL that healthcare professionals must remain particularly attentive to the protection of their patients' data. especially when they use subcontractors.

---