Select your nation of interest

Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FRENCH SUPERVISORY AUTHORITY: health data breaches, the CNIL sanctions two doctors.

FRENCH SUPERVISORY AUTHORITY: health data breaches, the CNIL sanctions two doctors.

The 7th of December 2020, the limited training of the CNIL has issued two sanctions of 3.000 and 6.000 euros against two doctors for having protected in an insufficient way personal data of patiences and for not having notified a data breach to the CNIL. 

After a control online done in September 2019, the CNIL has detected that million of medical images on the servers of two free doctor were freely accessible on internet. 

During the controls, doctors have understood that data breaches came from a bad choice of internet box settings, as well as a bag setting of their software of medical imaging. The investigations have permitted to establish that medical images stored on their server were not systematically encrypted. 

On the basis of these elements, the restricted training, the CNIL body responsible for imposing sanctions, noted that the two doctors had broken with the basic principles of computer security. It found that they had failed to comply with the obligation of data security (Article 32 of the GDPR), considering that they should have ensured that the configuration of their computer networks did not lead to data being freely accessible on the Internet and that they had systematically encrypted the personal data hosted on their servers.

The restricted training also included a failure to comply with the obligation to notify data breaches to the CNIL (Article 33 of the GDPR). Indeed, the two doctors did not carry out these mandatory notifications which they should have done after learning that their patients’ medical images were freely accessible on the Internet.

Although the restricted training did not consider it necessary for the identity of the doctors concerned to be made public, it nevertheless wished to ensure that these decisions were published in order to alert health professionals to their obligations and the need to increase their vigilance with regard to the security measures applied to the personal data they process.

This vigilance should lead them to choose application solutions offering the maximum guarantees in terms of IT security and personal data protection. It should also encourage them to be cautious when designing and configuring their internal IT system, if necessary by working with competent service providers in this area.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL

Team Privacy & Data Protection
18 December 2020

Recommended to you

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

6 March, 2025

LATVIAN SUPERVISORY AUTHORITY: A list of processing operations that are not required to be...

6 March, 2025

ICELANDIC SUPERVISORY AUTHORITY: Arion Bank hf.’s processing of personal data for marketing purposes and...

6 March, 2025

GERMAN SUPERVISORY AUTHORITY: BfDI participates in Europe-wide review of the right to erasure

5 March, 2025

DANISH SUPERVISORY AUTHORITY: EDPB launches coordinated action on the right to erasure

5 March, 2025

Vulnerability in Apache Tomcat (AL04/241217/CSIRT-ITA)

4 March, 2025

ROMANIAN SUPERVISORY AUTHORITY: Sanction for violation of the GDPR

4 March, 2025

CISCO Product Updates (AL01/230112/CSIRT-ITA)

4 March, 2025

Android Security Updates (AL02/250304/CSIRT-ITA)

4 March, 2025

Vulnerability in Progress WhatsUp Gold (AL02/240627/CSIRT-ITA) – Update (AL02/240627/CSIRT-ITA)

4 March, 2025

ManageEngine: vulnerability fixed (AL01/250304/CSIRT-ITA)

4 March, 2025

Mautic: Public PoC for CVE-2024-47051 Exploitation (AL02/250303/CSIRT-ITA)

3 March, 2025

CANADIAN SUPERVISORY AUTHORITY: seeks Federal Court order requiring Pornhub operator to comply with Canadian...

3 March, 2025

Security Updates for Synology Products (AL01/250303/CSIRT-ITA)

3 March, 2025

7-Zip vulnerability fixed (AL02/250122/CSIRT-ITA)

28 February, 2025

Vulnerability in PostgreSQL (AL01/250214/CSIRT-ITA)

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: Fetus Cemetery: Sanctioned the Municipality of Brescia

28 February, 2025

 ITALIAN SUPERVISORY AUTHORITY: a credit rehabilitation company fined for 70 thousand euros

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: Fetus Cemetery: Sanctioned the Municipality of Brescia

28 February, 2025

ITALIAN SUPERVISORY AUTHORITY: ok to telemedicine with more guarantees for personal data

28 February, 2025

Advanced Research