By La Provence (with AFP)
The Cnil, French gendarme of personal data, announced on Thursday that it had given notice to the young company Francetest, a site transmitting the results of Covid tests carried out in pharmacies to the government platform, to “insufficient security” health data. This decision follows the revelation at the end of August of a security breach that made personal data (surnames, first names, dates of birth, addresses, telephone numbers, social security numbers and e-mail address) and the results of tests of thousands of people.
“The Cnil noted that the company had taken certain measures to address the vulnerability that caused the data breach. However, the Francetest service still has several data security deficiencies.“, said the regulator in a statement. “Consequently, the president of the CNIL has decided to put the company on notice to take all the necessary measures to guarantee the security of the health data that it processes on behalf of hundreds of pharmacies. The company has a deadline. two months to do what is necessary “, is it added.
Francetest is a company founded last January which specializes in the transfer of data from Covid tests carried out in pharmacies to the government platform SI-DEP. The SI-DEP (screening information system) is a secure platform where the results of Covid-19 tests are systematically recorded in order to “to ensure that all positive cases are taken care of” and identify contact cases, explains the Ministry of Health on its site. Result: many pharmacists use intermediaries to enter the results of the tests carried out in the SI-DEP. Francetest thus charges one euro per transmission, according to the Mediapart news site, which revealed the data leak.
“The Francetest company is a subcontractor of hundreds of pharmacies responsible for the operational performance of antigenic tests, the Cnil has sent a letter to more than 300 pharmacies concerned”, she further indicated, so that they check their compliance with the General Data Protection Regulation (GDPR) and the security obligation.