Health data: CEGEDIM SANTÉ fined €800,000
On 5 September 2024, the CNIL fined CEGEDIM SANTÉ 800,000 euros for processing health data without authorization.
Background
CEGEDIM SANTÉ publishes and sells management software for general practitioners working in surgery and health centers. Some 25,000 medical practices and 500 health centers use this software. This software enables doctors to manage their diaries, patient files and prescriptions.
Inspections carried out by the CNIL in 2021 revealed, in connection with the use of one of its software products, that the company had processed without authorization non-anonymous health data, transmitted to its customers in order to carry out studies and produce statistics in the health sector.
As a result, the restricted committee - the CNIL body responsible for issuing sanctions - imposed a fine of 800,000 euros on CEGEDIM SANTÉ, taking into account the company's financial capacity, the seriousness of the breaches, the massive nature of the processing and the fact that the data concerned is health data, and therefore sensitive data.
Pseudonymous instead of anonymous data
As part of its business, the company offers a panel of doctors using one of these software packages the opportunity to join an "observatory". Data collected are then used by CEGEDIM SANTÉ's customers, in particular for research purposes.
CNIL's investigations revealed that data were not anonymous, but only pseudonymous, since it was technically possible to re-identify the people concerned.
As this involved the processing of personal data, the company should have obtained authorization from the CNIL to use them (Article 66.III of the French Data Protection Act).
To assess whether or not the data processed is anonymous, the restricted committee focused on determining whether the data subjects could be re-identified by reasonable means, as provided for by the case law of the Court of Justice of the European Union and the work carried out by data protection authorities at European level (opinion 05/2014 on anonymization techniques of April 10, 2014).
The restricted committee noted that CEGEDIM SANTÉ collected a large amount of data on the individuals concerned, such as year of birth, gender, socio-professional category, allergies, medical history, height, weight, diagnosis, medical prescriptions, sick leaves and analysis results. The data were linked to a unique identifier for each patient of the same doctor, making it possible to combine data transmitted successively by the same doctor concerning the same patient, and thus to reconstruct their healthcare pathway. In view of thisinformation, the restricted committee considered that it was possible to isolate an individual within the company's database, and that the company possessed a great deal of particularly detailed information concerning that individual, leading to a risk of re-identification.
Under these conditions, given the existence of the unique identifier and the depth of the data collected by the company - and also taking into account the possibility of combining the data held by CEGEDIM SANTÉ with data held by third parties - the restricted committee considered that the risk that a person's identity could be traced was too high for the data processed by the company to be considered anonymous.
As a result, the restricted committee considered that the data processed by CEGEDIM SANTÉ was pseudonymous and not anonymous at least until 2022 (the end date of the investigations).
Reminder
If the data is anonymous, then it is not a personal data: in this case, data protection regulations do not apply.
Conversely, if the data is pseudonymous, then the regulations apply.
Sanctioned breaches
Failure to comply with the obligation to carry out prior formalities in the health sector (Article 66 of the French Data Protection Act).
The French Data Protection Act (Article 66.III) stipulates that the processing of personal data in the health sector must only be carried out with the authorization of the CNIL, or in compliance with a referential mentioned (Article 66.II).
The restricted committee considered that the company had not complied with these requirements, even though it constituted a health data hub:
- the company did not submit any request for authorization to the CNIL to assess whether the processing in question was necessary for reasons of public interest in the field of public health or necessary for scientific research purposes;
- the company didn't send a declaration of compliance with one of its frame of reference to the CNIL.
Failure to comply with the obligation to process data lawfully (Article 5.1.a of the GDPR).
The restricted committee considered that the company had committed a breach of Article 5.1.a of the GDPR concerning its use of the "HRi" teleservice set up by the health insurance, which provides access to the history of health reimbursements made by the health insurance for a patient over the last twelve months.
It noted that consultation of the data from this teleservice by a doctor who was a member of the "observatory" automatically led to the data being downloaded into the patient's computerized file, enabling the company to collect it at the same time. The restricted committee considered that, by not providing for the possibility of data simply being consulted by doctors without leading to an automatic collection, the company had not processed the data lawfully.
CEGEDIM SANTÉ was fined 800,000 euros by the restricted committee for these two breaches.
The restricted committee did not issue a compliance order, as since July 2024, the company has no longer been the controller, but has only published the software in question. The data collected by doctors no longer passes through CEGEDIM SANTÉ, but feeds directly into a database held by another company of the group, which is now the controller.