"What can we do about this?": Sensitive medical information from nearly 500,000 people in France found itself on the internet, a data leak of "particularly serious gravity" according to the Cnil, which plunged the patients into incomprehension and anger.
"Thank God, I have no illness ... I will go tomorrow morning to complain to Social Security. It is not normal that there is a hacking at the level of our health record (sic)" , complains to AFP Aïcha, 36, after hearing the news.
AFP observed that a file comprising 491,840 names, associated with contact details (postal address, telephone, email) and a social security registration number, circulated freely on at least one forum referenced by search engines .
These names are sometimes accompanied by indications on the blood group, the attending physician or the mutual, or comments on the state of health (including a possible pregnancy), drug treatments or pathologies (in particular HIV).
According to the Checknews section of the daily Liberation which investigated the subject, the data would come from around thirty medical biology laboratories, located mainly in the north-western quarter of France, and correspond to samples taken. between 2015 and October 2020.
"The data leak is being investigated by the National Information Systems Security Agency (Anssi), the Ministry of Solidarity and Health, in conjunction with the Cnil and the software publisher, including it is suspected that old installations of its laboratory management solution are involved, "the Directorate General of Health told AFP on Wednesday evening.
Anssi had previously told AFP that he had identified the "origin" of the health data leak and reported it to the Ministry of Solidarity and Health in November 2020.
"The necessary recommendations were given by Anssi to deal with the incident," she added without giving any additional details.
"The preliminary findings seem to indicate that this is indeed a data breach of a particularly significant scale and seriousness and suggest that the data would come from medical analysis laboratories", finally established the Cnil in a blog post, a few hours after launching its own checks.
- Broadcast following an argument -
However, the Commission, which is responsible for personal data, was not notified on Wednesday of a data breach of this magnitude by the company (s) responsible, as required within 72 hours by the European regulation on data protection (GDPR).
The GDPR provides for penalties of up to 4% of turnover for this type of incident.
"If there is a high risk for the rights and freedoms of natural persons, companies must also notify individually" the victims of the leak, told AFP the secretary general of the CNIL Louis Dutheillet de Lamothe.
"I'm the type + live happily live hidden +", but "what can we do about that?" Asks Amélie, 34, another victim interviewed by AFP.
"I don't have an exciting life at that level, what's in their interest?"
"I don't know what to do, it's the first time it's happened to me," admits the young mother.
"Is the government going to take all of this away?"
According to Damien Bancal, a specialist journalist who first identified the leak on February 14 on his Zataz blog, this file was the subject of commercial negotiations between several hackers on a Telegram group specializing in the exchange of stolen databases.
One of them posted it on the web after an argument.
"500,000 data is already huge and nothing prevents the thinking that hackers still have much more," he told AFP.
This massive medical data leak occurs against a backdrop of cyber attacks increasingly targeting healthcare establishments.
"There have been 27 cyber attacks on hospitals in 2020 and since the start of 2021, it's been one attack per week", noted last week the Secretary of State in charge of digital Cédric O.
These hospitals, laboratories or platforms, which manage sensitive data, have become prime targets since the health crisis.
President Emmanuel Macron presented on February 18 a plan of one billion euros intended to strengthen their cybersecurity.
© 2021 AFP