A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction.
The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at the top of the results the scanned copy of the doctor’s prescription for a PET scan of a cancer patient whose name was still on the prescription. Alarmed, the journalist continued her investigation and discovered numerous other data breaches, including the list of patients admitted to various services in a given hospital, a list of handicapped adults and children, and in some cases patients’ test results. The breaches originated in different hospitals and clinics.
The Actusoins website de-identified the patient data before publishing its article, and states that the relevant hospitals and clinics were informed and have in each case corrected the bugs.
France has strict laws relating to the protection of health data, with high fines and criminal sanctions for breaches. France is one of the only countries in Europe requiring that health data be stored only with hosting providers approved by the French government. In spite of these precautions, as noted in the article, compliance appears to lag, particularly among smaller health care facilities. Some of the facilities cited in the article made very basic mistakes in how they store and protect health data, including failing to secure FTP servers. France does not yet impose a data breach notification requirement on health care providers, but such an obligation is likely to be introduced with the adoption of the proposed EU regulation on the protection of personal data.
The Actusoins article concluded by recommending that French individuals “Google” themselves to see whether their hospital records turn up!