CNIL Fines IQVIA €5M for Health Data Breaches

France's data protection authority has sanctioned IQVIA OPERATIONS FRANCE with a €5 million administrative fine for multiple violations related to the management of two health data warehouses [1]. The decision, published on May 28, 2026, follows inspections that began in 2021 and concerns records on tens of millions of patients [1]. This enforcement action is one of the larger health data penalties the CNIL has issued against a private sector actor [1].

Key takeaways

• CNIL fined IQVIA OPERATIONS FRANCE €5 million for GDPR violations involving health data warehouses [1].
• The LRX system extracted patient data from pharmacies that had explicitly opted out of the panel [1].
• Security controls lacked required multi-factor authentication and network segmentation until March 2026 [1].
• Inspectors found participating pharmacies failed to provide mandatory information notices to patients [1].

Technical flaws in patient data pipelines

The case centers on two authorized data repositories: LRX, which tracks longitudinal prescription data from approximately 14,000 pharmacies, and EMR, which aggregates electronic medical records from roughly 2,000 to 3,000 physicians [1]. According to the CNIL's deliberation, the LRX system contained a design flaw where data extraction modules ran even at pharmacies that had opted out of the panel [1]. Although this data was supposed to be filtered out by a trusted third party, the authority found that extracting it at the source violated GDPR requirements for data protection by design [1].

Furthermore, the EMR warehouse and the broader infrastructure suffered from significant security deficiencies [1]. The authorization for the EMR warehouse required multi-factor authentication, but inspections revealed users were accessing the system with only a username and password [1]. Additionally, the company had failed to implement network segmentation, meaning a compromised workstation could potentially reach warehouse servers directly [1]. IQVIA confirmed that it remediated the authentication and segmentation issues, as well as improved log analysis, by March 2026 [1].

Compliance gaps and regulatory action

The regulatory proceeding originated from on-site inspections at the company's headquarters and Parisian pharmacies in 2021, triggered by a broadcast investigation into patient data flows [1]. During these visits, inspectors found that none of the four observed pharmacies were handing out the required notices explaining IQVIA's data collection or displaying the mandatory information posters [1]. The CNIL's enforcement chamber, known as the formation restreinte, treated these violations as serious given the scope of the data involved [1].

The decision closes a long-running proceeding that saw IQVIA attempt to use a September 2025 European Court of Justice ruling on pseudonymized data as a legal defense, an argument the regulator rejected [1]. The French entity, a subsidiary of the US-listed IQVIA group, reported revenue of €152.6 million in 2023 [1].