The National Commission for Informatics and Freedoms (CNIL) announced on Thursday, October 14, that it had notified the private company Francetest to secure the health data it collects on behalf of pharmacies during health tests. Detection of Covid-19.
The information site revealed on Tuesday, August 31, a computer error that made accessible about 700,000 results of antigen tests performed in pharmacies Mediapart. Francetest said he had the next day “Necessary assistance from cybersecurity experts”. The company, which specializes in transferring coronavirus screening test data to the government platform SI-Dep (for the detection information system), had specified that server security assessment operations would be performed with these experts.
Two months to do what it takes
After carrying out controls, the CNIL declared that it was the exposed database “386,970 unique people and include their last name, first name, email address, telephone number, date of birth, test result (positive or negative) and Social Security number”.
Although Francetest has taken certain steps to address the vulnerability caused by the data breach, the service “You still have several data security deficiencies (…). Health data is hosted by a service provider that does not have HDS approval [hébergement de données de santé], authentication processes are not robust enough, cryptographic methods used are weak and registration [enregistrement des actions des personnes accédant à l’outil] server activity is incomplete ”, explained the CNIL. “The company has two months to do what is necessary”, added.
Many pharmacists use intermediaries to enter the results of tests performed on the SI-Dep. Francetest thus charges 1 euro per transmission, according to the information site Mediapart. Since the company Francetest is a subcontractor of hundreds of pharmacies responsible for the operational performance of antigen tests, the CNIL sent a letter to “More than 300 pharmacies to check their compliance with the RGPD [règlement général sur la protection des données] and the obligation of security ”.