top of page


Health data: very specific personal data

Health data are very special personal data as they are considered sensitive. As such, it is subject to a very specific reinforced protection in order to guarantee the respect of the privacy of the persons concerned. Heart rate, blood group, genetic data, etc. heart rate, blood type, genetic data, etc.: these data are subject to reinforced protection under the law, in order to guarantee the privacy of the individuals concerned

It is important to know that health data is the most coveted data by cyber criminals who sell it for a high price! Indeed, this personal data is among the most expensive on the market as it allows attacks such as identity theft, health insurance scams, fraudulent health reimbursements, etc.


Thus, the price of a stolen medical file can reach $350 on the darknet.

Hospitals, nursing homes, connected health solutions: what are the challenges?

Healthcare institutions or professionals developing connected health products and processing data are responsible for the security of this data. In case of failure to comply with these obligations, the consequences are numerous.

  • Legal consequences, as data controllers are obliged to do everything possible to ensure the security, confidentiality, integrity and availability of the personal data processed. When this security is not ensured, the data controller must be held accountable.

  • Financial consequences, because very regularly when these health establishments are attacked, the attackers demand a ransom in exchange for the non-disclosure of the stolen data.

  • Human consequences, as the privacy of your patients, customers and users is greatly impacted in the event of a healthcare data breach.

  • Reputational consequences as well, when the message gets out and the people concerned become aware of the risk and danger to which they are exposed.

Moreover, some health data, when they lose confidentiality, can lead to a very strong stigma from professional and/or personal circles, the impact on personal life is then very great (this is the case of certain diseases or infections).

Regulatory compliance with the GDPR and thus the protection of personal data are therefore all the more important for healthcare institutions or connected health solutions. Therefore, the official designation of a DPO with the CNIL is an imperative for these establishments and companies.

Health data processing for research purposes: a special case.

The field of health research is the last field for which it is necessary to obtain authorisation from the CNIL to carry out the processing of personal data. 

Indeed, with the exception of so-called "internal" studies, all research projects in the field of health requiring the processing of health data must be subject to prior authorisation by the CNIL.


In order to facilitate these research projects, the CNIL has developed 6 reference methodologies applicable according to the type of study: when one of these reference methodologies is applicable, no prior authorisation from the CNIL is required.

Your compliance thanks to the support of a DPO experienced in health data protection

David Rozier, co-founder of CyberSecura and GDPR expert, has a solid experience as DPO of the CHU Grenoble-La Tronche, and of other hospitals and health institutions. David is responsible for the GDPR compliance business line at CyberSecura.

With the help of two legal assistants, we are already assisting health establishments (prevention and occupational health services, private companies or associations involved in the field of personal care and disability, etc.) in their GDPR compliance.


Discover the testimonies of some of our clients (all in the health sector) regarding our outsourced DPO service on a time-sharing basis.

Frédérique Guede, Head of operational organisation at PST38

Frédérique Guede.jpeg

"I'm not sure if the offer that is made exists with other providers [...]. It is a complete handling that I have not found elsewhere [...]. Mr Rozier knows how to put us at ease, how to listen to us in order to understand our problems, the way we work, the specificity of our service, so as to respond to us in the best possible way, and so as to enable us to continue to work efficiently."

Screenshot 2021-11-26 at 11.36.01.png

Jean-Christian Borel, Director of Research and Development at AGIR à Dom.

"We particularly appreciated CyberSecura's expertise, its ability to explain things in simple terms, its availability, but also its human approach. David Rozier understood our needs quite quickly, and the relationship was very simple from the start."

Khalide SEDDIK 4.JPG

Khalide Seddik, Clinical Operations Manager at NH TherAguix.

"This service is a real all-encompassing take on the GDPR aspect [and] when we have a question or difficulty we know we can call on your teams."

Find out more about our outsourced timeshare DPO service
  • What are the main issues in health data protection?
    The main issues in terms of health data protection are : A regulatory issue with possible legal sanctions in case of personal data breach. A financial issue with fines from the CNIL. A reputational issue, when word of mouth spreads about poor data protection or when the CNIL issues a public sanction.
  • Do health care institutions have to appoint a DPO?
    Yes, all organisations, public or private, processing sensitive data (e.g. health data) or processing personal data on a massive scale are required to appoint a DPO to the CNIL.
  • What particular expertise/skills does a DPO need to have to work in the health field?
    As in any field, support linked to the data used is all the more relevant if the tasks carried out thanks to these data are known and understood. It is important to have a good knowledge and understanding of the field in order to be relevant during the support.
bottom of page