Two weeks ago, the online magazine “Zataz” reported for the first time that medical data from almost 500,000 French people was being offered for sale in an Internet forum frequented by cyber criminals. The newspapers “Liberation” and “Le Monde” provided further details on this earlier this week. The French data protection authority CNIL has now started an investigation into the case. According to her, initial results indicate “that it is actually a particularly large and serious data breach”.
According to the reports, the information on sale comes from the files of around thirty medical analysis laboratories, mainly located in the Morbihan, Côtes-d’Armor, Eure, Loiret and Loir-et-Cher departments. The findings of the CNIL to date largely coincide. Allegedly, the extensive data set is said to have found a buyer for the first time a few months ago. The criminal hacker calls a price of $ 1000 for the package.
Die CNIL reminded the potentially affected institutions of their duty at the same time according to the General Data Protection Regulation (GDPR), to inform the data protection supervisory authority within 72 hours after a leak becomes known about such a process. Furthermore, in a case with high risks for fundamental rights, the responsible bodies would have to inform the data subjects individually that their data has been compromised and published online.
The National Agency for the Security of IT Systems (Anssi) said in parallel to the AFP news agencythat she identified the “origin” of the health data leak and reported it to the Ministry of Health as early as November 2020. Recommendations were also given on how to deal with the incident. Apparently the Anssi had not exchanged information with the CNIL.