The French healthcare sector has been hit by one of the largest security incidents in the country's history. The Ministry of Health confirmed that a cyberattack on the company Cegedim Santé resulted in the theft of administrative data and medical notes belonging to nearly 15 million citizens. The investigation is focusing on the MLM software used by approximately 1,500 doctors. The scale of the breach raises serious concerns about patient privacy across the country.

Data leak of 15 million people

An attack on the MLM software of the company Cegedim Santé led to the disclosure of administrative data belonging to a significant portion of France's population.

Intimate notes online

The database contains doctors' comments regarding patients' sexual orientation, religion, and personal problems, which grossly violates medical confidentiality.

Prosecutorial investigation

Authorities in Paris have launched an investigation into the cyberattack, examining how the mass download of protected records occurred.

The French are grappling with the consequences of an unprecedented medical data leak affecting nearly a quarter of the population. The Ministry of Health and the company Cegedim Santé have officially confirmed that the target of the attack was the MLM software used by primary care physicians. Although the technology provider initially tried to downplay the incident, pointing to a leak of only administrative data, a journalistic investigation by France Télévisions revealed a much darker side to the affair. The database, which ended up on the dark web, contained not only names and phone numbers but also intimate notes made by medical professionals. Since the introduction of GDPR in 2018, medical institutions in the European Union have been obliged to apply the highest encryption standards; however, errors in authorizing external software remain the weakest link in the systems. The stolen dataset contains exceptionally sensitive information that doctors entered in comment fields. Records concerning sexual orientation, religious beliefs, and even details of patients' family dramas have been revealed. According to the General Directorate for Health Protection, the attack may have been carried out by seizing doctors' access credentials, which allowed hackers to download records en masse. E-health in France is facing its biggest crisis of confidence in history, especially as prominent politicians and officials are among the victims. „Les informations concernées proviennent exclusivement du dossier administratif du patient : nom, prénom, sexe, date de naissance, téléphone, adresse, émail et commentaire administratif en texte libre à la discrétion des médecins.” (The information concerned comes exclusively from the patient's administrative file: name, surname, gender, date of birth, telephone, address, email, and free-text administrative comment at the discretion of the doctors.) — Cegedim Santé In response to the crisis, the MG France doctors' union called for a thorough reform of the functioning of digital patient records, questioning the security of current data storage models. The Paris prosecutor's office has launched an official investigation into unauthorized access to the data processing system. Cybersecurity experts warn that the leak of such detailed notes could become a tool for blackmail or targeted phishing. Verification is currently underway as to whether hackers managed to permanently compromise Cegedim's entire infrastructure or if it was merely a point leak from specific user accounts of the MLM software. Scale of the Data Leak in France: Number of victims (estimates): 15, Number of software users: 0.0015, Population of France (context): 68