Health and safety data: the CNIL heavily sanctions a software publisher
.webp)
La latest decision of the CNIL in 2025 sends a clear message to software publishers, especially in the health sector: a publisher has been sanctioned up to 1.7 million euros for not having implemented a sufficient level of security on software processing health data.
This sanction illustrates the strengthening of the CNIL's security requirements and the direct responsibility of publishers, including when they act as subcontractors. Software security is no longer a simple technical issue: it constitutes a major business and legal risk.
This article deciphers the key lessons of the decision and proposes concrete best practices for software publishers, especially in the health sector, in order to anticipate controls and limit sanctions.
The company NEXPUBLICA France, specialized in the design of computer systems and software, has developed a software package called Public CRM (PCRM). This tool is intended for the social action sector and is in particular used by some departmental houses for persons with disabilities (MDPH) to manage relationships with users. PCRM makes it possible to monitor the requests managed by the MDPHs in charge, while offering users the possibility to consult the progress of their file.
At the end of 2022, users alerted a company customer to the possibility of accessing the personal data of other users of the software. This situation constituted a personal data breach within the meaning of Article 4 of the GDPR. The customer then notified the incident to the CNIL, in accordance with article 33 of the RGPD, without being in a position to precisely identify the number of persons or data concerned. The CNIL decided to conduct an on-site inspection mission with NEXPUBLICA France. It is this control that led to the sanction of the software publisher.
Role and responsibilities of a software publisher: a data security obligation extended to subsequent subcontractors
The CNIL recalls that the software publisher acts as a subcontractor and as such is required to guarantee a sufficient level of security of the automated processing of personal data implemented on behalf of the data controller. Given its expertise in the development of IT solutions, it is up to the publisher to propose and deploy appropriate and necessary technical and organizational measures to ensure the security and confidentiality of data.
The publisher had tried to limit its liability by invoking that of its subsequent subcontractors, in particular the health data host, and to place full responsibility on the data controller. The CNIL rejected this argument, considering that the use of a subsequent subcontractor was in the case under only technical choice of the company NEXPUBLICA France. It was therefore up to him to ensure that the solutions proposed were free of vulnerabilities, in accordance with the EDPS position, according to which the original subcontractor remains fully responsible for the performance of the obligations of the subsequent subcontractors.
A very detailed analysis of the security measures put in place by the CNIL
The CNIL analyzes the following elements to assess the level of security required of software:
- Characteristics of data processing : nature of the data (sensitive), volume of data, data subjects (vulnerable groups), role of the software
- The potential impacts of a violation for those affected : identity theft, phishing attempt (or phishing), falsification of documents, fake blackmail or distress messages, risk of discrimination
- The state of the art : ANSSI recommendations, doctrine and best practices (e.g. abandonment of obsolete SHA techniques, use of the principle of “defense in depth”)
- The skills of the editor : claimed expertise in computer systems and software
- Security audits : content of internal and external reports carried out by experts
- Vulnerability Management by the publisher: identification and correction of vulnerabilities, systems for alerting and dealing with abnormal behavior
The CNIL recalls that the security obligation provided for in article 32 of the RGPD is a Obligation of means. She also states that the existence of a data breach does not in itself characterize a breach of Article 32 of the GDPR, nor does the absence of a breach exclude such a breach. It is therefore not the violations as such that are the basis for the breach of Article 32 of the GDPR, but the overall and structural inadequacy of security measures within the software.
With regard to the state of the art, The CNIL refers in particular to the principle of “defense in depth” promoted by ANSSI, which implies that security is not based on an isolated mechanism but on a coherent and cumulative set of technical and organizational measures. However, this global approach does not seem to have been taken into account by the publisher. In particular, the CNIL notes that the company NEXPUBLICA France used the SHA-1 hash function, identified as vulnerable and discouraged since 2017. The use of such a process, which does not comply with current security standards, characterizes a breach of the obligation to guarantee the integrity of personal data.
The CNIL also emphasizes that, given its expertise in developing IT solutions, the software publisher could not invoke a lack of knowledge to justify the persistence of obvious vulnerabilities for several months. The analysis of two code audit reports, conducted six months apart, highlights an increase in critical vulnerabilities as well as the persistence of numerous flaws. However, in view of the vulnerabilities, the company should have acted more quickly and implemented corrective measures.
In addition, despite the implementation of logging and multi-factor authentication, the impossibility of precisely identifying the data concerned by the breach that occurred in 2022 reveals insufficient traceability of the actions carried out on the PCRM and thus a generalized weakness of the information system.
Finally, the CNIL considers that even when corrected later, these vulnerabilities did exist at a high level of criticality, revealing a past failure to meet safety obligations.
Safety checklist — What software publishers (especially health software companies) should take away from this decision:
When they identify a vulnerability in the software, it is important to:
- To adopt a gait proactive and reactive, even in the absence of a data breach
- Of correct without delay critical faults and Documenting corrective actions
- To not put in production a new version of the software until critical vulnerabilities are fixed
- To inform customers corrective measures put in place to correct vulnerabilities
- If a data breach results from the vulnerability, the publisher can anticipate the notifications customers to the CNIL and to the persons concerned by sending them templates
In general, and except in the case of a data breach or vulnerability, publishers must:
- To stand always up to date security recommendations and in particular align with recognized standards: OWASP, the ANSSI...
- Conduct or have regular audits carried out taking into account and effectively treating the results
- Check the advising, alerting and warning obligations provided for in the contract with customers
Finally, among the recent breaches of personal data, we highlight the good example Donated by the publisher of the medical software Weda. The incident concerned a very large number of health homes and health professionals and the publisher's reaction was exemplary. Weda has adopted a proactive approach, both in technical correction and in supporting its customers. Indeed, Weda provided health professionals and health homes with clear communication on the incident, a step-by-step guide for reporting to the CNIL as well as ready-to-use materials for patient information. It is precisely this proactive and reactive approach on the part of software publishers (in health) that is expected by the CNIL.
For any questions or support needs, contact our IT/Data team!
Clémentine Beaussier, partner lawyer at Squair
.png)
