CNIL announces two fines against two doctors amounting to EUR 9,000 for failure to ensure the security of patient data


On 17 December 2020, the French DPA (“CNIL”) announced imposing two fines totaling EUR 9,000 against two doctors for insufficient protection of patient data and failure to notify the CNIL about a data breach.

The CNIL conducted an online audit in September 2019, which revealed that thousands of medical images stored on the servers belonging to the two doctors were publicly available on the internet. In addition, the two doctors did not make the mandatory notifications after they observed that the medical images with their patients were freely available on the internet.

In particular, by the publicity of these decisions, the CNIL seeks to caution health professionals of their obligations and the need to strengthen their vigilance on security measures applied to the personal data they process by choosing IT solutions that offer maximum guarantees in terms of security and personal data protection.

The full press release is available here (only in French).