The company service specializing in the transfer of coronavirus screening data would always have several data security shortcomings.
Le Monde
The National Board of Informatics and Freedoms (CNIL) announced, Thursday, October 14, having put the private company FranceNest to secure the health data it collects on behalf of pharmacies on the occasion of CVIV-19 screening tests.
A computer fault, making some 700,000 outcomes of antigenic tests carried out in pharmacy, had been revealed Tuesday, August 31 by the information site Mediapart . FranceTest had ensured the next day having “Required The Assistance of Cybersecurity Experts”. The company, specializing in the transfer of coronavirus screening test data to the SI-DEP government platform (for screening information system), had specified that server safety assessment operations would be made with these experts.
Two months to do the necessary
After conducting controls, the CNIL stated that the exposed database was “386,970 unique persons and included their name, first name, e-mail address, telephone number, date of birth, test result (positive or negative) and social security number “.
If FranceTest has taken some steps to remedy the vulnerability behind data violation, the service “still has several data security shortcomings (…). Health data is hosted at a service provider Not having an HDS approval [Health Data Hosting], authentication processes are not quite robust, the cryptological processes used are low and logging [registration of the actions of people accessing the tools] Servers are lacquered, “explained the CNIL. “The company has a period of two months to do the necessary,” she added.
Number of pharmacists use intermediaries to enter the results of the tests made in the SIP. Franceuest invoices 1 euro by transmission, according to the Mediapart information site. Since Francetest is subcontractor of hundreds of pharmacies responsible for the operational achievement of antigenic tests, the CNIL sent a letter to “more than 300 pharmacies so that they verify their compliance with the RGDP [General Regulations on Data Protection] and the security obligation “.