French Health Service on Notice for Database Vulnerabilities

The website of medical TV show Allô Docteurs reports that the French health service has been served with an official notice to improve the security of its medical insurance database, which contains highly personal information about the vast majority of the country's citizens and service users.

Article source: "La CNIL juge les données de santé des Français trop mal protégées", the editors of allodocteurs.fr, France Télévisions, 01/03/2018

The French health service has officially been put on notice by the country’s data protection authority (CNIL), and has been told to rectify a number of security vulnerabilities in the database that holds every French citizen’s personal medical information.

The CNIL considers these problems sufficiently worrying to be made public. Although no “major flaws” have been identified, the CNIL has identified some “deficiencies” which weaken the security of the country’s centralised health insurance information system (Sniiram) in a number of different ways.

Sniiram is a database which was set up when the Carte vitale [the French social security card] was created; simply put, every time national health insurance covers the cost of someone’s medical care, an extra line is added to their file,” says Mathieu Escot, head of research at French consumer group UFC Que Choisir. Sniiram gathers data both on patients (age, postcode, general practitioner) and on the care costs that are reimbursed (medical treatments, prescriptions, hospital fees).

“This database was originally designed as a way of managing the reimbursement of medical charges, allowing the national health insurance system to know the nature of the costs incurred,” adds Mathieu Escot. “It is an exhaustive database, and if you were to have access to any specific person’s information, you would see a full record of their health care consumption. This is extremely private information, so the potential risk – and it is still only a potential risk, that should be stressed – is considerable. Given how sensitive the information is, numerous measures have been put in place to protect it.”

How to Assure Anonymity?

Access to the database for research purposes, as a basis for epidemiological studies for example, is now possible under certain conditions. In order to access the files, users need official authorization and only have access to an altered version of the data. For reasons of privacy, patients’ names are changed and other data (address, name of the G.P, etc.) are also encrypted or modified to avoid identification via cross-referencing of information. “Many other rules have been established to prevent anyone from indirectly identifying the individual hidden behind the encoded information. For example, if only one person has undergone a specific type of surgery, during a given period of time in a particular town, the Sniiram won’t authorise the request.”

In May 2016, a report by the French Court of Audit concluded that the security of this database could – and should “be reinforced”. Between September 2016 and March 2017, the CNIL also carried out a series of checks, which pinpointed “numerous deficiencies” in the Sniiram. The investgation revealed that personal information was not rendered sufficiently anonymous, and that it was difficult to guarantee that only authorised users were given access.

Theoretical Risk of Unethical Use

The theoretical risk is that third parties – like banks, insurers, employers, relatives and friends – could get information about your health and your medical background without your consent,” explains Mathieu Escot. “But once again, it’s important that we’re only talking about potential risk, because if there had been any actual breaches, there would have been court cases. We don’t want to fuel public paranoia: the database is not easy to access – even though some deficiencies have been detected – and even once you’ve accessed the database, it’s nothing like Facebook, information is encrypted, so it’s still difficult to handle.”

Why the delay?

The French health service has been given three months to fix these vulnerabilities. It has stated in a press release that it is working on new algorithms which will prevent people from being identified via any of the information accessible in the database.

At UFC Que Choisir, we’re surprised to learn that the first checks were carried out back in autumn 2016,” says Mathieu Escot, “and yet formal notice was not given until February 2018. It is not very reassuring to think that the CNIL spent the best part of two years investigating, before providing any information. The amount of time taken to deal with this question raises serious concerns.”

 

Translated by Sarah Dantreuille, Laura Chardar and Loïc Loembe.

Editing by Sam Trainor.

Le Club est l'espace de libre expression des abonnés de Mediapart. Ses contenus n'engagent pas la rédaction.