Serious GDPR violations: Cegedim Santè fined a million dollars, reveals flaws in health data privacy
Scandal in healthcare data management: how Cegedim Santè violated GDPR and put patients' privacy at risk
The CNIL fined Cegedim Santé 800,000 euros for improperly managing patients' health data, which were deemed identifiable despite pseudonymization. The company did not comply with the GDPR by using the "HRi" teleservice in an illicit manner.
The French National Commission for Information Technology and Liberties (CNIL) has fined Cegedim Santé, a company specializing in the production of healthcare management software, €800,000. The company provides its services to around 25,000 medical practices and 500 health centers, facilitating the management of patients' diaries, medical records, and prescriptions. However, an audit launched by the French authority in 2021 revealed that Cegedim Santé had handled patients' health data inappropriately. The data had been pseudonymized but not truly anonymized, which made them identifiable.
Failure to really anonymize: very serious risks to privacy
According to the CNIL, the pseudonymized data still contained information that could allow the re-identification of individuals, and therefore could not be considered anonymous. The company had collected a large set of information on patients, such as year of birth, sex, socio-professional category, allergy data, medical history, height, weight, diagnosis, medical prescriptions and test results. This information was placed under a unique identifier for each patient, which made it possible to connect data subsequently transmitted and track the treatment pathway. This procedure posed a high risk of re-identification and led the CNIL to severely sanction the company.
Illegal data processing and failure to comply with GDPR
The CNIL also highlighted the issue of Cegedim Santé's failure to comply with privacy regulations, in particular Article 5.1.a of the GDPR, which requires lawful and transparent data processing. The company illegally used the health insurance's "HRi" teleservice, which allows access to a patient's medical reimbursement history over the last twelve months. The data consulted via this service was automatically uploaded to patients' computer files and made available for extraction by Cegedim Santé itself. The CNIL considered this data processing to be incompatible with the regulations in force, without providing doctors with the simple possibility of consultation.
Survey conclusions and impact on the healthcare sector
At the end of the investigation, on September 5, 2024, the CNIL issued a decision to impose a fine of €800,000 on Cegedim Santé. This measure highlights the risks associated with the improper handling of health data and underscores the importance of scrupulous compliance with privacy regulations. The CNIL's decision serves as a warning to all companies in the healthcare sector, reiterating the need to take appropriate measures to anonymize data and comply with GDPR regulations, in order to ensure the protection of sensitive data and the protection of patient privacy.
Follow us on Telegram for more pills like this09/29/2024 16:37
Marco Verro