Transmitting and prescribing an exam

IT Security Incident

Saint-Ouen-L'Aumône, July 5th  2021

Dear Madam, Dear Sir,

We would like to inform you that our Laboratory has been the victim of a data theft following a failure of one of our service providers, in charge of hosting one of our databases.

This database containing patients' information was momentarily exposed on the Internet. The investigations we immediately conducted enabled us to conclude that unauthorised persons accessed this database and that a certain volume of data, including patients' personal data, had been exfiltrated. To date, these data have not, to our knowledge, been used.

The remedial measures that we implemented

The safeguard of our patients' data being our core priority, as soon as this incident was identified:

  • The database under consideration was isolated and made inaccessible ;
  • We set up a continuous watch on the Internet to monitor it.

Finally, we informed the competent supervisory authorities (i.e. the French Data Protection Authority (CNIL) and the Regional Health Authority) of this incident and filed a complaint to the police services.

What information is concerned?

The following categories of personal data might be impacted:

  • The surname, first name, birth date and gender of the patients whose files were put online from January 1st, 2017 to June 24st, 2021
  • The nature of the examination carried out by our Laboratory
  • The result of the examination

The database did not contain any information relating to social security numbers (NIR), bank details or postal, electronic or telephone contact details.

Our recommendations

Despite the absence of any use of these data to date, we recommend that you lookout for any unusual canvassing which could look like an attempted fraud.

If you have any questions, please send us an e-mail to rpd.cerba@lab-cerba.com or a letter to RPD - CERBA - 7-11 Rue de l'Équerre, 95310 Saint-Ouen-l'Aumône.