The antigenic tests subcontracting company, Francetest, is given formal notice by the Cnil for failure to comply with the protection of health data which is incumbent on it. A period of two months is allowed to take all the necessary measures.
A flaw allowed access to all data provided by people when performing a test on the Francetest service. (Credit: Fernando Zhiminaicela, Pixabay)
The CNIL attacks Francetest, a company transferring pharmacists' data to the SI-DEP file, the file centralizing all the test data created in March 2021. After receiving an anonymous report on August 27, 2021 reporting a flaw security affecting the “francetest.fr” website, the Cnil decided to investigate. 2021, a delegation carried out an on-site control mission inthe premises of the company (based in Strasbourg) in order to verify the compliance of the processing of personal data implemented by the latter with the RGPD and the Data Protection Act.
In its court decision , the Cnil indicates that the representative of the company, Nathaniel Hayoun, clarified that after being alerted on August 27, 2021 by a journalist that personal data was freely accessible in the tree structure of the Francetest site, he noted that the vulnerability was due to a misconfiguration of the web server. The flaw made it possible to access the contents of the directory of module Z "francetest" allowing to manage the various services of the company. The source code of the service was accessible in the site directory, which contained in particular the login credentials for the patient database hosted on Yas well as extracts in CSV format from this database, that is to say in a directly readable text format.
700,000 vulnerable health data
These extracts included all the data entered by people when performing a test, mentioned above. The presence of these files is explained by a malfunction of one of the site's functionalities allowing pharmacists to export data from their patients who have performed tests. When Nathaniel Hayoun was alerted to the vulnerability, he indicated that he had shut down and restarted the "Francetest" service web server and corrected the vulnerability by making the file inaccessible. He changed the password for connecting to databases hosted at X and Y. He also added firewall rules to prevent connection to the database from servers other than those dedicated to the service " Francetest ”.
However, these measures will notbeen sufficient since according to Mediapart , "more than 700,000 results of tests , and the personal data of patients, were for months accessible in a few clicks due to flaws on the Francetest site ”. The exposed database consisted of 386,970 unique people and included their last name, first name, email address, phone number, date of birth, test result (positive or negative) and social security number (NIR).
Francetest subsequently took several measures to remedy this vulnerability, but "the service still has several shortcomings in terms of securityof data. The health data is hosted by a service provider that does not have HDS approval (hosting of health data), the authentication processes are not robust enough, the encryption methods used are weak and the logging (recording of actions of people accessing the tool) of server activities is incomplete ”estimates the Cnil.
In fact, the president of the Cnil, Marie-Laure Denis, has decided to put the company on notice to take all the measures necessary to guarantee the security of the health data that it processes on behalf of hundreds of pharmacies. It will be a question of taking all measures to guarantee the security and confidentiality of the personal data processed and, in particular, those referred to in the appendix to this formal notice. Secondly, Francetest will have to justify to the CNIL that all of the aforementioned requests have been complied with, and this within the allotted time. Thecompany has two months to do what is necessary.