Cegedim Santé, a company publishing and selling management software to general practitioners, was fined 800,000 euros by the CNIL for processing non-anonymous health data without authorization.
Health data used for studies, without patients’ knowledge. This Thursday, September 12, the National Commission for Information Technology and Civil Liberties (CNIL) announced that it had fined Cegedim Santé 800,000 euros for processing health data without authorization.
This company publishes and sells management software that allows city doctors to manage their schedules, patient files and prescriptions. Around 25,000 medical practices and 500 health centers use them.
Illegal data processing
Having carried out checks in 2021, the CNIL found that Cegedim Santé, which also owns Maiia (a competitor of Doctolib), had processed non-anonymous health data without authorization with one of its software programs.
Some of the doctors using one of the company’s software programs were in fact offered to join an “observatory”. By doing this, Cegedim Santé offered clients to use the health data collected with the help of these doctors, to conduct studies. Cegedim Santé specifies to Tech&Co that the data collected concerns 2,000 doctors who are members of this observatory.
Among this personal information are “year of birth, gender, socio-professional category, allergies, medical history, height, weight, diagnosis, medical prescriptions, sick leave and test results”, noted the CNIL.
Since the information is pseudonymous and not anonymous, it can allow a person to be re-identified, the authority emphasizes. A risk that it considers too high given that the data collected by Cegedim Santé is “particularly rich” and that it is possible to isolate an individual within the company’s database.
“These data were linked to a unique identifier for each patient of the same doctor, making it possible to link together the data transmitted successively by the same doctor concerning the same patient and thus to reconstruct their care pathway,” deplores the CNIL.
Cegedim Santé should have requested authorization from the CNIL before collecting and processing this information. Concluding that the company had not processed this data lawfully, which constitutes a breach of the GDPR, the authority condemned it.
The CNIL specifies that this sanction is not accompanied by an injunction to comply because Cegedim Santé is no longer responsible for this processing, but only the publisher of the software in question.
For its part, Cegedim Santé added that it is examining the possibility of contesting the CNIL’s decision before the Council of State.
