IT Security Incident

Saint-Ouen-L'Aumône, July 5th, 2021

Dear Business Partners,

We would like to inform you that our Laboratory has been the victim of a data theft following a failure of one of our service providers, in charge of hosting one of our databases.

This database containing patients' information was momentarily exposed on the Internet. The investigations we immediately conducted enabled us to conclude that unauthorised persons accessed this database and that a certain volume of data, including personal data, had been exfiltrated.

The remedial measures that we implemented

The safeguard of data is our core priority. Hence, as soon as this incident was identified:

  • We immediately carried out the necessary remedial measures to isolate the exposed database and make it inaccessible;
  • We set up a continuous watch to identify any possible use of the data on the Internet – which is not the case to date.

We also provided, in our capacity as data controller, the competent supervisory authorities (i.e. the French Data Protection Authority (CNIL) and the Regional Health Authority) with all the information in our possession concerning this incident and filed a complaint to the police services.

What information is concerned?

The following categories of personal data, which were included in the database, might have been exfiltrated:

  • The surname, first name, birth date and gender of the patients whose files were put online from January 1st, 2017 to June 24st, 2021
  • The nature of the examination carried out by our Laboratory
  • The result of the examination

The database did not contain any information relating to social security numbers (NIR), bank details or postal, electronic or telephone contact details.

Our recommendations

Despite the actions already taken by our Laboratory and the fact that no specific contact details was available, we thank you for bringing to our attention any event or information related to this incident.

Please note that an information note for patients is published on the website www.lab-cerba.com.

Finally, we specify that, in our opinion, it is not necessary for you to notify the CNIL (or any other local Data Protection Authority) insofar as we have taken all these necessary steps in our capacity as data controller.

If you have any questions, please send us an e-mail to rpd.cerba@lab-cerba.com or a letter to RPD - CERBA - 7-11 Rue de l'Équerre, 95310 Saint-Ouen-l'Aumône.      

Sylvie CADO -CEO Cerba