The software publisher Dedalus France took stock of the medical data leak which affected nearly 500,000 people in France, and for which a judicial investigation was opened.

Twenty-eight laboratories have been identified as being the victims of these leaks, mainly in the west of France.

The publisher of software for healthcare establishments Dedalus France said on Friday that it had identified among its customers 28 laboratories affected by the medical data leak which affected nearly 500,000 people in France.

"Dedalus France confirms that it is investigating a serious act of cybercrime that led to the data breach of some of its laboratory customers," the company said in a statement.

The company says it has informed these laboratories, located in 6 departments of the Brittany, Center-Val-de-Loire and Normandy regions, and "is cooperating with the competent authorities to determine the sources of this cyberattack".

AFP noted on Tuesday that a file comprising 491,840 names, associated with contact details (postal address, telephone, email) and a social security registration number, circulated freely on at least one forum referenced by research.

A period of five years

These names were sometimes accompanied by indications on the blood group, the attending physician or the mutual, passwords, or comments on the state of health (including a possible pregnancy), drug treatments or pathologies (in particular HIV).

According to the Checknews verification section of the daily


, which investigated the subject, the data correspond to samples taken between 2015 and October 2020.

"The data leak is being investigated by the National Information Systems Security Agency (Anssi), the Ministry of Solidarity and Health, in conjunction with the Cnil and the software publisher, including it is suspected that old installations of its laboratory management solution are involved, "the Directorate General of Health told AFP on Wednesday evening.

Judicial investigation

A judicial investigation was opened the same day and entrusted to the cybercrime section of the Paris prosecutor's office, on the charge of "fraudulent access and maintenance in an automated data processing system" and "fraudulent extraction, detention and transmission" of this data. .

The Cnil, police officer for personal data, had not, however, been notified until Wednesday of a data breach of such magnitude, as required within 72 hours by the European data protection regulation. (GDPR).

The GDPR provides for penalties of up to 4% of turnover for this type of incident.

In the event of a high risk for the rights and freedoms of natural persons, the responsible companies must also individually notify the victims of the leak.