The National Commission for Informatics and Freedoms (CNIL) announced Thursday, October 14, that it had given formal notice to the private company Francetest to secure the health data it collects on behalf of pharmacies during health tests. Covid-19 screening.
A computer flaw, making accessible some 700,000 results of antigenic tests carried out in pharmacies, was revealed on Tuesday, August 31 by the information site Mediapart. Francetest assured the next day to have “Required assistance from cybersecurity experts”. The company, specializing in the transfer of data from coronavirus screening tests to the government platform SI-Dep (for screening information system), had specified that server security assessment operations would be carried out. with these experts.
Two months to do what is necessary
After carrying out checks, the CNIL declared that the exposed database concerned “386,970 unique people and included their last name, first name, e-mail address, telephone number, date of birth, test result (positive or negative) and Social Security number”.
While Francetest has taken certain measures to remedy the vulnerability that caused the data breach, the service “Still has several data security shortcomings (…). Health data is hosted by a service provider that does not have HDS approval [hébergement de données de santé], the authentication processes are not robust enough, the cryptological methods used are weak and the logging [enregistrement des actions des personnes accédant à l’outil] of server activities is incomplete ”, explained the CNIL. “The company has two months to do what is necessary”, she added.
Many pharmacists use intermediaries to enter the results of tests carried out in the SI-Dep. Francetest thus invoices 1 euro per transmission, according to the information site Mediapart. Since the Francetest company is a subcontractor of hundreds of pharmacies responsible for the operational performance of antigenic tests, the CNIL sent a letter to “More than 300 pharmacies to check their compliance with the GDPR [règlement général sur la protection des données] and the safety obligation ”.