A file consisting of the medical data of 500,000 people in France recently circulated on the Internet because of "very insecure" software sold to about thirty laboratories.

If it is an isolated event, it nevertheless serves as a reminder: our medical data is precious but vulnerable. 

DECRYPTION

Names, telephone numbers, drug treatments… A file containing sensitive medical data, concerning nearly 500,000 people in France, recently leaked onto the internet.

The publisher of software for healthcare establishments Dedalus France said on Friday that it had identified 28 affected laboratories among its customers.

"The software sold to these laboratories was very insecure. The data was neither encrypted nor anonymized", explains Fabrice Epelboin, specialist in cybersecurity, guest of Europe 1 on Saturday morning. 

"Medical data is less protected than bank data"

Very sensitive data, yet poorly or insufficiently protected.

"Banks, for example, invest much more in cybersecurity than the medical industry. It is a problem linked to budgetary restrictions which affect the medical sector much more than the banking sector," explains Fabrice Epelboin.

Data protection, a service "invisible" to the eye of users, can therefore be discreetly put on the back burner.

"We're going to cut back on it in order to save some money, we'll put it off until later. The problem is that IT security is a lot more complicated to set up when we develop it after the fact."

>> Find all of Frédéric Taddeï's shows in podcast and replay here

The data breach detected this week would have occurred during a software change.

For Fabrice Epelboin, however, this event is "not particularly worrying" since it relates to an isolated security breach.

"But this will surely have unpleasant consequences for people who have had their data stolen," he adds.

The names and social security numbers were sometimes accompanied by indications on the blood group, the attending physician or the mutual, or comments on the state of health (including a possible pregnancy), drug treatments or pathologies (in particular HIV). 

Holy bread for hackers

This type of health data is a godsend for hackers.

"With this kind of information, hackers can set up a whole series of scams and racketeering", specifies Fabrice Epelboin.

This file would have been the subject of a commercial negotiation between several pirates on a Telegram group specializing in the exchange of stolen databases.

One of them would have posted it on the web following an argument.