The penalty for doctors is between 3000 and 6000 euros.
This was stated by the independent administrative authority responsible for ensuring that the rights concerning the personal data of the French were respected. According to the National Commission for Information Technology and Freedoms, these two private doctors did not adequately protect the medical and personal data of their clients. Not to mention that the violation of this data would not have been reported to the commission that is in charge of this.
This article will also interest you: The Doctissimo website, in the crosshairs of the CNIL for violating the European data protection regulation
The facts have been going back to September last year. Experts from the administrative authority had observed that on servers accessible to everyone on the Internet, there were medical images and other data belonging to these two private sector doctors. According to the latter, this leak was caused by a bad setting of their internet box and it is a bad configuration of several software in charge of managing medical imaging. In addition, the National Commission for Information Technology and Freedoms also noted that these medical images had not been followed by security encryption.
There were quite many deficiencies on the doctors' side. Indeed, in addition to leaving the port of the box open, there were on these same ports removable hard drives that should be connected to the internet when it did indeed contain medical data of their patients. One of these doctors claims to have entrusted the security of the data and the configuration of his computer equipment to a specialist who apparently did not do his job properly. On the other hand, the other claimed to have set up his own servers.
According to the National Commission on Computer Science and Freedoms, perhaps anyone who stores medical data on a computer without encrypting it. This is also the case for the doctor sanctioned by the administrative authority, "considering that encryption slows down the execution of applications too much (medical record, image visualization tool".
That's not all, in addition to the medical data, there was other personal information belonging to the patients of these doctors. Namely names and surnames, dates of birth date of completion of exams, and even the nature of examinations carried out in institutions in a precise manner.
The National Commission for Computer Science and Freedoms recalled that: "In the absence of encryption, the medical data contained in the hard drive of this computer is clearly readable by anyone taking possession of this device (for example, as a result of its loss or theft) or by anyone unhaving to unread it on the network to which that computer was connected. ».
It is therefore recommended that encryption should always be provided on mobile terminals and any removable storage media.
On the other hand, it should be noted that the penalty is still heavy. To justify, the administrative authority asserts that physicians have not deployed sufficient basic means to ensure the safety of their patients' data. As a result, physicians have breached their duty to secure data in section 32 of the General Data Regulation. Under this European standard, doctors should have ensured that the setting of their computer networks was likely to maintain a high enough level of security to protect the information that was within their responsibilities.
Furthermore, the Commission points out other breaches namely: "The processing manager must, in all circumstances, comply with the notification requirement under section 33 of the Regulations unless the violation in question is not likely to pose a risk to the rights and freedoms of individuals. The fact that the data breach had been brought to the attention of Mr[…]. CNIL's control department did not relieve him of this obligation. ».
However, the National Commission for Information Technology and Freedoms did not want to disclose the names of the sanctioned doctors. The reason was not so disclosed. However these sanctions will be of a nature has challenged others on the importance of safeguarding personal data.
Now access an unlimited number of passwords: