Rules Navigator

Cegedim Santé fined €800,000 for processing health data unlawfully

Doctor gestures in front of the electronic patient file.
Photo: Clemens Bilan – Pool/Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The data was found to be pseudonymous – not anonymous – making it possible to re-identify the people concerned.

CNIL has fined Cegedim Santé €800,000 ($886,809) for processing health data without authorization. The French Data Protection Authority said that the fine reflects the “seriousness of the breaches, the massive nature of the processing and the fact that the data concerned is health data, and therefore sensitive data.”

The company, which publishes and sells management software for general practitioners working in surgery and health centers, has about 25,000 medical practices and 500 health centers using this software to manage their diaries, patient files and prescriptions.

In inspections from 2021, the company was found to be processing non-anonymous health data without authorization, and later transmitted it to customers where information was pseudonymous. For each patient, the information was linked to a unique identifier of the same doctor, which made it possible to link the data and therefore re-identify the individuals.

The collected data included:

  • year of birth;
  • gender;
  • socio-professional category;
  • allergies;
  • medical history;
  • height;
  • weight;
  • diagnosis;
  • medical prescriptions;
  • sick leaves; and
  • analysis results.

Because of the extent of data and the risk of combining it with the information held with third parties, CNIL found that the “risk that a person’s identity could be traced was too high for the data processed by the company to be considered anonymous.”

Cegedim Santé was found to be violating: 

Article 66 of the French Data Protection Act – The obligation to carry out prior formalities in the health sector

The company was found to be failing to:

  • submit any request for authorization to the CNIL to assess whether this processing was necessary for reasons of public interest in the field of public health or necessary for scientific research purposes; and
  • send a declaration of compliance with one of its frame of reference to the authority.

EU GDPR Article 5.1.a – lawfulness of processing

Connected to its use of the “HRi” teleservice set up by the health insurance, which provides access to the history of a patient’s health over the last twelve months. CNIL said that it was not possible for “data simply being consulted by doctors without leading to an automatic collection.”

, , , , ,

You may also like