France’s data protection watchdog isn’t happy with the news this week that 500,000 citizens may have had their healthcare data inadvertently spilled online.

The Commission Nationale de l'informatique et des Libertés (CNIL) heard about the news from the media this week and not from the involved parties itself, something that could have ramifications for the company implicated in the news.

Under Article 33 of the General Data Protection Regulation (GDPR) data controllers are supposed to report a breach to their respective supervisory authority without undue delay and when possible no later than 72 hours.

The news stems from reports that Dedalus France, a company that develops and distributes healthcare informatics software for hospitals and other healthcare centers, may have been breached.

It appears attackers may have compromised software made by the company.

According to reports, while the data is from patients at medical laboratories across France, all were using Dedalus' software. While it hasn't been directly connected to the incident, it is the popular narrative so far – and it appears to have been serious enough to get the attention of the French data protection authority.

Dedalus, for its part, says its looking into the incident, acknowledging its software alone may not be at fault.

“We are not certain that the sole reason for this incident was Dedalus software," Dedalus COO Didier Neyrat told the Agence France-Presse (AFP). "We have set up a crisis cell group as we are taking this seriously, and we will work in partnership with our clients to understand what has happened."

Two publications, Libération and Zataz, reviewed the data this week and discovered that information on 491,840 French citizens from between 2015 and October 2020 appear to be included. Patients' blood group, social security numbers, birth date, their health insurance provider, medical treatments, and illnesses are among the data included in plain text. Non-medical data like phone numbers, postcodes and addresses are also included in the data, reportedly.

Judging from CNIL’s statement, issued on Wednesday, Dedalus hadn’t contacted the authority about the breach, either because it wasn’t aware or more likely, because it couldn’t definitively pinpoint that its software was involved in time.

Regardless of who or what is to blame, CNIL dubbed the leaks of “particularly significant magnitude and severity” and said it was carrying out checks to confirm the data is legitimate.

CNIL didn't name Dedalus by name but took the opportunity to remind organizations of their obligation to not only ensure the security of data they process but to notify the authority within 72 hours of becoming aware of a data breach. The victims should be informed in some circumstances too, CNIL said.

"When the data breach is likely to create a high risk for rights and freedoms, the responsible bodies have the obligation to individually inform the data subjects that their data has been compromised and published online."

As other reports have noted, it's the second major incident involving leaked healthcare data in France this week.

On Monday, the Ministry of Health's Cybersecurity Support Portal for Health Structures posted that a list of 50,000 user accounts belonging to hospitals in the country had surfaced on a cybercrime forum. The Ministry said it is difficult to quantify the origin of the leak but that it appears to involve logins and passwords.breach