Security News > 2022 > April > Medical software firm fined €1.5M for leaking data of 490k patients
The French data protection authority fined medical software vendor Dedalus Biology with EUR 1.5 million for violating three articles of the GDPR. Dedalus Biology provides services to thousands of medical laboratories in the country and the fine is for exposing sensitive details of of 491,939 patients from 28 laboratories.
More specifically, during migration from the software of a different vendor, at the request of two medical laboratories, Dedalus extracted more information than required.
The second violation concerns article 32 of the GDPR, which makes the data processors liable for failure to secure the information.
Lack of encryption of personal data stored on the problematic server;.
The third GDPR article breached is number 28, which covers the obligation to provide a formal contract or legal act for the data processing on behalf of the controllers.
Although Dedalus hoped to receive a more lenient penalty based on its willingness to collaborate with CNIL's investigators, the data protection office noted that the firm took no steps to limit the dissemination of the leaked data online, so there was no basis for recognizing alleviating factors.