The President of the CNIL has issued a formal notice to the private company Francetest to secure the health data it collects on behalf of pharmacies during COVID-19 screening tests. It also approached more than 300 pharmacies to check their compliance with the GDPR and the security obligation.
The CNIL’s checks and decision
On 27 August 2021, the CNIL received an anonymous report indicating the existence of a security breach affecting francetest.fr, a website published by a private company.
This breach concerned the data used by Francetest as part of a service it offers to pharmacies to simplify the collection of data from patients undergoing SARS-CoV-2 antigenic tests and facilitate their transmission to the SI-DEP platform (a file implemented by the Ministry of Solidarity and Health to centralise test results).
The CNIL conducted online and on-site checks to investigate the circumstances of this data breach and to verify the measures taken to ensure data security. The database exposed concerned 386,970 unique individuals and included their surname, first name, email address, telephone number, date of birth, test result (positive or negative) and social security number (NIR).
The CNIL found that the company had taken certain measures to remedy the vulnerability that caused the data breach. However, the Francetest service still has several data security shortcomings. The health data is hosted by a provider that does not have HDS (health data hosting) approval, the authentication processes are not robust enough, the cryptological procedures used are weak and the logging (recording of the actions of people accessing the tool) of server activities is inadequate.
As a result, the president of the CNIL has decided to give the company formal notice to take all necessary measures to guarantee the security of the health data it processes on behalf of hundreds of pharmacies. The company has two months to do so.
Given the sensitivity of the data being processed and the need to inform all data subjects of the existence of persistent data security breaches, this formal notice is made public.
In addition, as Francetest is a subcontractor of hundreds of pharmacies responsible for the operational performance of antigenic tests, the CNIL sent a letter to more than 300 pharmacies concerned. In this letter, the President reminds pharmacies of the importance of ensuring the security of health data and of their obligations concerning the framework of relations with their service providers.
Health data at the heart of the CNIL’s action
These various actions carried out by the CNIL are part of its control strategy for the year 2021, which focuses on the cybersecurity of the French web and the security of health data.
They are also a natural extension of the multiple control campaigns carried out by the CNIL to meet the challenges posed by the health context, particularly in terms of health data security.
In addition to its repressive strategy, the CNIL is also pursuing its mission to support the players concerned in their efforts to comply with the law. For example, it has sent a letter to the Conseil national de l’ordre des pharmaciens (CNOP) in which it calls on the profession to be more vigilant with regard to the processing of personal data that it implements.
In addition, in the coming weeks, a draft reference framework on the processing of personal data for the management of pharmacies will be submitted for public consultation on the CNIL website.