An article published by specialist healthcare news website Actusoins has revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly regulated jurisdiction.
The journalist was researching another article and entered the name of a physician into Google. She was astonished to find, at the top of the results, a scanned copy of the doctor's prescription for a PET scan for a cancer patient whose name was still on the prescription. The journalist continued her investigation and discovered numerous other data breaches, including:
lists of patients admitted to various services in different hospitals; a list of disableed adults and children; and patients' test results.The breaches originated in different hospitals and clinics.
The Actusoins website hid the patient data before publishing the article, and stated that the relevant hospitals and clinics had been informed and had corrected the breaches.
France has strict laws relating to the protection of health data, with high fines and criminal penalties for breaches. France is one of the only countries in Europe to require that health data be stored only with hosting providers approved by the French government. In spite of these precautions, compliance appears to be lax, particularly among smaller healthcare facilities. Some of the facilities cited in the article made very basic mistakes in how they store and protect health data, including failing to secure file transfer protocol servers. At present, France does not impose a data breach notification requirement on healthcare providers, but such obligation is likely to be introduced with the adoption of the proposed EU regulation on the protection of personal data.