News

Lack of Security and Failure to Report Data Breach ⚕️

Confidentiality & Security | 25/03/2025

Administrative sanction against two doctors of 3,000 and 6,000 Euros, following a data leak.

Source: SAN 2019-014

🔍 Context:
Thousands of medical images belonging to two physicians were made publicly accessible on the internet due to:

  • 📶 Improper configuration of their internet router.
  • 🖥️ Misconfiguration of their medical imaging software.


❗ Identified Violations:

🔐 Failure to Ensure Data Security (Article 32 of GDPR):
The CNIL found that the two physicians:

    • 🚫 Did not adhere to basic principles of IT security.
    • ❌ Did not ensure that their IT network configuration prevented unrestricted access to data

🔒 Did not systematically encrypt hosted personal data.

📢 Failure to Notify Data Breach (Article 33 of GDPR):

    • The physicians did not report the data breach to the CNIL, even after being informed that their patients’ medical images were freely accessible online.


⚖️ Consequences:

🛑 Administrative fines (December 7, 2020): €3,000 and €6,000.

🌐 Public sanction aimed at raising awareness among healthcare professionals.


🎯 Purpose of Public Decisions:
The CNIL’s restricted committee aims to:

  • ⚕️ Raise awareness among healthcare professionals about their obligations.
  • 🛡️ Emphasize the importance of vigilance in securing personal data.
Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance