Results of blood tests, e-mail, personal address, treatments or body mass index… Each time we consult a health professional or carry out medical examinations, our personal data is stored. This private and intimate information is strictly regulated and protected by French law, but it can happen that it is stolen and revealed by hackers. This is what happened at the end of February: a hacker disclosed the medical information of 500,000 French people.
Contact details of insured persons (telephone numbers, addresses, e-mails), blood groups, social security numbers, list of laboratories which had access to this medical information were targeted. Most of the data came from an attack on some 30 laboratories. According to a survey by Release, these would be medical companies located in Morbihan, Côtes-d’Armor, Eure, Loiret and Loir-et-Cher.
A strict legislative framework
The first risk, for people who have seen their medical information leaked, is an increase in malicious solicitations. Lists of emails, addresses and phone numbers are popular with hackers, who use them to flood their correspondents with canvassing calls and emails. Identity theft, especially for medical treatment, is also part of the intentions of criminals.
However, France has a strict and specific legal regime to protect the medical data of its fellow citizens. Three texts form the basis of this regulation: the Data Protection Act of 1978, the Public Health Code and the Data Protection Regulation of May 25, 2018. The National Commission for Informatics and Freedoms, the CNIL, also participates in the monitoring of this private information and works with healthcare professionals to inform them about the best practices to be put in place in order to make this content as secure as possible. Whatever the medium – computer or paper – personal health data is thus subject to strict compliance with these legislative texts.
Healthcare professionals therefore have obligations regarding the data they collect from their patients. For those who store this information electronically, a first duty is essential: the recovered elements must be hosted by approved companies. In France, since 2018, the “health data host” certification allows this. It is compulsory for all actors who collect personal health data “during prevention, diagnostic, care or medico-social monitoring activities”. The list of certified hosts is available on the esante.gouv.fr site.
This framework allows, for example, a pharmacist to store data from reading a patient’s health card on servers specially authorized to receive personal data. In addition to hosting their content on secure platforms, professionals must protect themselves against unauthorized or illicit access and against the loss, destruction or accidental damage of this data. This then involves the use of a professional health card, personal passwords or even the use of a strong encryption system.