News

Lack of Security and Failure to Report Data Breach โš•๏ธ

Confidentiality & Security | 25/03/2025

Administrative sanction against two doctors of 3,000 and 6,000 Euros, following a data leak.

Source: SAN 2019-014

๐Ÿ” Context:
Thousands of medical images belonging to two physicians were made publicly accessible on the internet due to:

  • ๐Ÿ“ถ Improper configuration of their internet router.
  • ๐Ÿ–ฅ๏ธ Misconfiguration of their medical imaging software.


โ— Identified Violations:

๐Ÿ” Failure to Ensure Data Security (Article 32 of GDPR):
The CNIL found that the two physicians:

    • ๐Ÿšซ Did not adhere to basic principles of IT security.
    • โŒ Did not ensure that their IT network configuration prevented unrestricted access to data

๐Ÿ”’ Did not systematically encrypt hosted personal data.

๐Ÿ“ข Failure to Notify Data Breach (Article 33 of GDPR):

    • The physicians did not report the data breach to the CNIL, even after being informed that their patients’ medical images were freely accessible online.


โš–๏ธ Consequences:

๐Ÿ›‘ Administrative fines (December 7, 2020): €3,000 and €6,000.

๐ŸŒ Public sanction aimed at raising awareness among healthcare professionals.


๐ŸŽฏ Purpose of Public Decisions:
The CNIL’s restricted committee aims to:

  • โš•๏ธ Raise awareness among healthcare professionals about their obligations.
  • ๐Ÿ›ก๏ธ Emphasize the importance of vigilance in securing personal data.
Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance
]]>