A hacker (illustrative image).
NICOLAS ASFOURI / AFP
Postal address, telephone, email, social security number… These data are now available in a file which circulates on the Internet, and which concerns 491,840 French patients.
After the hospitals of Dax and Villefranche-sur-Saône, this time it is laboratories that have been targeted.
Computer attacks which are currently increasing against healthcare establishments in France.
“We are very afraid of the leakage of our credit card data, but in France, the regulations are extremely protective.
While health data, once you know it is irreversible.
It will be recorded on the Internet, it will be indexed on the engines, there may be medium or even long term consequences, ”comments Gérôme Billois, cybersecurity expert.
The leak is massive.
A file containing the medical data of 491,000 French patients was published on the Internet by hackers,
These data, from around thirty laboratories located in the north-west of France, correspond to samples taken between 2015 and October 2020. A worrying leak which gives free access to very private patient data.
How to react and how to protect yourself?
"20 Minutes" takes stock.
How was this data published on the Internet?
The leak was identified for the first time by Damien Bancal, journalist specializing in cybersecurity, who says that this file can be found in "seven different places on the Internet".
According to him, this file was the subject of discussions on a Turkish Telegram hacking channel.
“One of them is a Turkish hacker well known for selling data,” he told
This file, which contains a huge amount of data, is of great value to these hackers, but it has been published on the web for free.
According to Damien Bancal, a dispute between the pirates would have led one of them to publish the file, or an extract of it, for free, he warns.
"500,000 data is already huge and nothing prevents the thinking that hackers still have a lot more," he told AFP.
How do you know if you are affected by leaks?
For each data hack, there are sites that allow you to ask if you are concerned or not.
Not this time.
“To my knowledge, this has not yet been done today,” comments Gérôme Billois, cybersecurity expert at Wavestone.
“In this case, such a site would call into question the confidentiality of the data, exposing all the other persons concerned.
If you are a client of a laboratory in the north-west of France, there is a good chance that you are concerned, ”he summarizes.
If it is possible to contact your laboratory to find out if you are one of the victims, the law requires establishments affected by a cyber attack to notify the authorities within 72 hours.
The choice can then be made to warn the people concerned.
The Cnil, the data gendarme in France, however indicated on Wednesday that it had not been notified by the establishments in question.
What consequences might there be for the users whose data has been disclosed?
“Pregnancy”, “HIV” or “treatment”… These data are very intimate for patients.
"It's the worst leak that exists," comments Gérôme Billois.
“We are very afraid of the leakage of our credit card data, but in France, the regulations are extremely protective for this data.
While health data, once you know it is irreversible.
It will be recorded on the Internet, it will be indexed on the engines, there may be medium or even long term consequences.
Another possible consequence: these files contain passwords, usernames, telephone numbers and e-mail addresses.
This data could allow malicious people to access other services used by these patients, such as a mailbox, but also to mount more realistic scams using this proven information.
The consequences will also be legal.
Hervé Morin, president of the Regional Council of Normandy, concerned by this leak, "outlined the possibility of a criminal complaint", indicates
“There will be legal consequences,” says the cybersecurity expert.
“An investigation must determine the responsibilities shared between the initial attackers and the responsibility of the laboratory.
These establishments could also be sanctioned with a fine ”, comments Gérôme Billois.
The CNIL announced on Wednesday that it had launched an investigation.
"If there is a high risk for the rights and freedoms of natural persons, companies must also notify individually" the victims of the leak, added Louis Dutheillet de Lamothe, secretary general of the Cnil.
What is planned to help healthcare facilities manage these issues?
This cyberattack in the medical sector is in addition to that of the hospitals of Dax and Villefranche-sur-Saône, on February 8 and 15.
An upsurge of events has led the government to deploy new budgets to strengthen the security of these health establishments.
“Hospitals will now have to put 5 to 10% of their IT investment in cybersecurity.
Cédric O and Olivier Véran recalled it last week ”, according to Gérôme Billois.
This is also what is recommended for SMEs and VSEs, behind on the subject.
“Most of the time when these companies invest in software, they don't have security built-in by default.
It's like buying a car without a seatbelt.
And having seat belts fitted can be quite expensive, ”he comments.
The executive has planned to allocate one billion euros, including 720 million public funds, to strengthen the cybersecurity sector, and to triple its turnover to 25 billion euros in 2025. Pending the results of this investment, the cybermalveillance.gouv.fr site was set up to help companies report a malicious act or contact experts to better protect themselves.
Chalon-sur-Saône: The city and the agglomeration victims of a cyberattack
By the Web
"It's the biggest data breach ever seen online" ... Nearly 3.2 billion emails and passwords hacked