When data leaks affect children

Usually when we talk about data leakage, we most often forget to talk about some of the people who are the most vulnerable.

These are, of course, children. When your data is freely circulating on the Internet or sold on a forum two cyber criminals, it is certain that children in addition to adults are in this situation. Especially when it comes to health data, for example.

This article will also interest you: Facebook would have been the victim of a data leak?

Let's talk about health data. While this personal information has not been sufficiently central to concerns about the computer security of digital data for a long time, the recent explosion of computer attacks, particularly the one targeting health care institutions since last year, has literally changed the game. Since the beginning of this year, there has been a lot of leakage of this kind of data. But what exactly is called health data? According to the National Commission for Information Technology and Freedoms, an independent administrative authority responsible for ensuring compliance with the European data protection regulation, health data is "considered sensitive data and which, when held by health institutions and professionals, is protected by medical secrecy." This information is crucial and sensitive and is generally covered by professional secrecy. In this regard, the Directorate of Legal and Administrative Information specifies that this data is covered by secrecy even if this person is under guardianship in the curatorship "the medical information of the protected person is not accessible to third parties" notes the administrative authority. "No need for special skills: this data is accessible to anyone, simply by entering the names and surnames of residents in a search engine.».

However, despite all this sensitivity around health data, it is unfortunately not uncommon to find it freely available on the internet.

Recently, The Accous Home has been leaked with such information. Health data held by residents of homes for adults with disabilities was available on the Internet for several months. The database continues and several personal information, be it the name or the health problem they suffered from. The whole problem is database was easily accessible from Google because indexed without any password to protect them. If for a while it's access has been removed by the home, the fact remains that until very recently, there was some information still available in cache. "They closed the access but because the search engines went through the page, the information is still available because the engine has retrieved the entire page. They should ask Google to delete the pages. You have to deindex," says Corinne Hénin, a computer security expert.

The reason for this data leak is explained by the heads of the association in charge of the home, Adapei64: "A gradual implementation of the tools of the Adapei of the Pyrenees-Atlantiques, and in particular the associative software for managing individual projects, NEO PI V2, was then planned. In anticipation of this implementation, the institution has developed its own tool to improve the sharing of information and thus the quality of support by professionals," describes the data protection delegate."We discovered accessible data problems in 2020, but with the pandemic, our actions were delayed in correcting them," adds the director of Adapei64. These leaks have all the more annoyed the team because it had set up information campaigns on the confidentiality of patient data with the directors of institutions, administrators, people accompanied …In the light of our investigation, the team was able to observe that "the concept of 'hide', had not been taken into account by the institution", had acknowledged the Director of Data Protection

The National Commission on Computer Science and Freedoms states that "in the case of persons with disabilities or minors, there are no "aggravating circumstances" for data hosts. Because "In France, it is considered that a minor can give his own consent to the processing of his data from the age of 15. Underneath, the joint consent of the child and the holder of parental authority is required."

In a dynamic of always strengthening security around children, the national education declared to this effect: "the development of a culture of data protection of a personal nature in its legal, technical and ethical dimensions within the school institution is paramount and is a priority", with this in mind, "11,000 treatment managers spread over the territory that it is necessary to raise awareness in order to protect the data of more than 12 million students and apprentices. It seems that the cases cited have therefore passed through the "acquisition and basic concepts" of cybersecurity, long promoted by "training sessions for future headteachers, webinars for teachers" and "awareness-raising activities in schools".

Now access an unlimited number of passwords: