Data-protection enforcement converges on a health-data controls floor — CNIL fines IQVIA €5M; California AG sues over 23andMe

Two enforcement actions in the window set the same baseline expectation for sensitive-data controllers. CNIL issued Délibération SAN-2026-008 (26 May), fining IQVIA Operations France €5M for security failures across its two authorised health-data warehouses — no MFA on privileged access to the EMR warehouse, and no log monitoring to detect abnormal activity in either warehouse, both cited explicitly as GDPR Art. 32 failures — with a six-month injunction under a €10,000/day coercive penalty. In parallel, the California AG sued the former 23andMe (28 May) over the 2023 genetic-data breach affecting ~6.9M people, alleging a bulk-enumeration coding error plus absent credential-stuffing defences and absent MFA. The convergence is the message: regulators on both sides of the Atlantic are now treating MFA on privileged access and active log monitoring as a non-negotiable floor for health and genomic data, and pricing their absence directly. CH/EU health-data controllers should read both as a concrete control checklist, not distant precedent.