At the end of April 2022, the CNIL, the data protection authority for France, announced it had imposed a fine of €1.5 million on the medical software provider Dedalus Biology, following a significant leak of patients’ data.

Dedalus’ data exposure

As disclosed by the CNIL in a press release, Dedalus, which provides services to thousands of labs across France, was found to have violated 3 articles of the GDPR act. This resulted in the exposure of Personally Identifiable Information (PII) and sensitive Personal Health Information (PHI) of over 490,000 patients from 28 different laboratories. The information that was available for all patients affected by the leak included their date of birth, contact information, name of physician, and social security number. For over half of the patients affected, the exposed information included also email address, phone number, and blood type. More worryingly, for a small fraction of affected patients the leaked information included comments added manually, specifying extremely sensitive information such as patients’ illnesses, including HIV, cancer, and genetic diseases, the treatments carried out, and pregnancies. The data affected in the leak appears to have been collected between 2015 and 2020, with most of it belonging to the year 2018-2019.

Following the leak, the database was increasingly easy to obtain, as it quickly and widely spread in underground forums and popular telegram channels. This increased the risk that the affected patients could be further victimised by phishing, social engineering, identity fraud, medical fraud, and even blackmail.

Cybersecurity experts first noticed the leaked database back in March 2020

 In November 2020, the ANSSI, the French National Agency for the Security of Information Systems, issued an alert to one of the laboratories who had suffered the data exposure. Three months later, in February 2021, the French magazine ZATAZ discovered the leaked Dedalus data on the Dark Web, and confirmed its validity. Shortly after, the CNIL started its investigation and discovered that the leak had occurred while migrating data from one software to another, as had been requested by two laboratories that utilise Dedalus’ services.

Dedalus violation of GDPR

According to the French data regulator, Dedalus was found in violation of three GDPR articles, including:

article 29 for failure to comply with the controllers’ (the medical labs) instructions, as Dedalus extracted more information than what was needed while migrating data from one tool to another.

The second violation was in regards to article 32, according to which the processor, in this case Dedalus, was responsible for the failure to secure information, including the lack of a specific procedure to migrate data, the lack of encryption of personal data, and the lack of automatic deletion after the data migration.

The third violation concerned article 28, according to which there is the obligation to provide a formal contract or a legal act to process data on behalf of the controllers (the medical labs).

For these violations, the CNIL issued the €1.5 million fine, which was calculated to match 10% of the company’s annual revenue. Dedalus had hoped for a more lenient sanction, due to the fact that it cooperated with the CNIL during its investigation, however the data protection entity did not recognise any alleviating factors, considering the sensitive nature of the data leaked and the risk it could pose to the affected patients.

The healthcare sector: prime target for cybercriminals

According to studies, the healthcare sector is currently generating data faster than any other sector, including the manufacturing, entertainment and financial sectors, and is now responsible for generating approximately 30% of all the data worldwide. This, coupled with the nature of the data produced and stored by the healthcare sector, makes the latter an attractive target for cybercriminals. As a matter of fact, medical records are a treasure trove for cybercriminals, as they contain a wealth of unalterable personal details like personal health history, illnesses, and surgeries, that cannot be cancelled or annulled like credit cards, for instance. This information can be exploited by cybercriminals for a range of illicit activities, including blackmail, scams that take advantage of a victim’s condition, identity theft, and medical insurance fraud, or it can also be sold on the Dark Web.

Cyberattacks against the healthcare sectors have dramatically surged during the Covid-19 pandemic, both due to the rapid process of digitalisation of data, and to the lower resources placed on cybersecurity to focus on the pandemic. The type of attacks suffered included ransomware attacks that crippled hospitals’ and healthcare facilities’ systems for days or even weeks, with cybercriminals demanding payments of millions of dollars to restore data. Other attacks ranged from data breaches, botnet attacks, remote code executions, and DDoS attacks. According to research, while malicious attacks account for 60% of breaches in the healthcare sector, 35% of all breaches are still caused by human error.

According to Forbes, the number of healthcare data breaches peaked in 2021, with reports suggesting that over 45 million individuals were affected by breaches in the healthcare sector in that year alone, compared to 34 million in 2020. In addition, it is reported that the average cost to recover from a data breach is significantly higher for the healthcare sector compared to any other sector, with each incident costing on average $9.23 million in 2021, a $2 million increase compared to the previous year. As a matter of fact, after security incidents, healthcare companies may also have to pay damages to the individuals whose data was affected, and may incur in fines from data protection regulation for the mishandling of data.

The vulnerability of the healthcare sector to cyber attacks

Another reason why the healthcare sector is an attractive target is that its potential attack surface keeps expanding quickly due to the increased use of IoT systems in the medical field. These devices are often not designed with cybersecurity in mind, and are therefore vulnerable to attacks from hackers, who can then move laterally and escalate privileges in order to access sensitive databases with patients’ medical records, financial records, data on business operations, and even medical research.

Considering the sensitivity of healthcare data, and the increasing threat of malicious activity and breaches violating patients’ privacy, data security must be placed at the top of the agenda in the healthcare sector. It is therefore critical that healthcare and medical entities invest in, and adopt, modern cybersecurity measures, including the use of encryption for data stored and in transit, in addition to data recovery and backup mechanisms.

It is also essential that entities in the healthcare sector ensure that all third-party partners adopt strong cyber protective measures and adhere to the same cybersecurity standards, as business partners can be used by cybercriminals as entry points to launch attacks against healthcare entities. Healthcare companies would also benefit from training on how to hand PII and PHI in order to reduce data breaches caused by human error, for instance by losing a device or disclosing information accidentally.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

• https://www.bleepingcomputer.com/news/security/medical-software-firm-fined-15m-for-leaking-data-of-490k-patients/
• Ransomware: In the Healthcare Sector (cisecurity.org)
• https://www.cnil.fr/fr/fuite-de-donnees-de-sante-sanction-de-15-million-deuros-lencontre-de-la-societe-dedalus-biologie
• https://www.dataguidance.com/news/france-cnil-fines-dedalus-biologie-15m-following-health
• https://www.dqindia.com/data-privacy-protection-must-healthcare-sector/
• https://www.ejinsight.com/eji/article/id/3121214/20220503-What-can-health-sector-learn-from-2021%E2%80%99s-cyber-threat%20-landscape
• https://www.forbes.com/sites/forbestechcouncil/2022/05/03/data-security-must-be-prioritized-in-the-healthcare-industry/?sh=352d4abf1cd3
• https://www.forbes.com/sites/forbestechcouncil/2021/06/07/increased-cyberattacks-on-healthcare-institutions-shows-the-need-for-greater-cybersecurity/?sh=4477e2245650
• https://www.forbes.com/sites/forbestechcouncil/2022/02/15/cybersecurity-and-data-protection-in-healthcare/?sh=60d2da155048
• https://www.enterpriseitworld.com/what-can-the-health-sector-learn-from-2021s-threat-landscape/
• https://www.safetydetectives.com/blog/healthcare-cybersecurity-statistics/
• https://www.who.int/activities/stopping-attacks-on-health-care
• Big tech, big data and the new world of digital health - ScienceDirect

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.