Massive Data Breach Exposes Health Information of 15 Million French Citizens
Paris, France – A significant cyberattack targeting healthcare providers in France has compromised the personal data of approximately 15 million patients, prompting a national investigation and raising serious concerns about data security within the French healthcare system. The breach, which occurred in late 2025, centers around data held by Cegedim Santé, a company specializing in software for medical practices. Although the majority of the exposed data consists of administrative information, a smaller subset – impacting around 169,000 individuals – includes potentially sensitive notes entered by physicians. The incident underscores the growing vulnerability of healthcare institutions to cyber threats and the critical need for robust data protection measures.
The French Ministry of Health confirmed the scale of the breach on Friday, February 27, 2026, following reports from the media outlet France 2. The compromised data includes names, addresses, phone numbers, and dates of birth. More concerningly, for approximately 1% of those affected, the breach extends to “free text” annotations made by doctors, which could contain sensitive information about patients’ medical histories, lifestyles, or personal circumstances. The Paris Public Prosecutor’s Office has opened an investigation into “attacks on an automated data system” following a complaint filed by Cegedim Santé on October 27, 2025, according to reporting by Le Parisien.
What Happened? The Timeline of the Cyberattack
The cyberattack specifically targeted approximately 1,500 medical practices utilizing Cegedim’s MLM software, out of a total of 3,800 users. Cegedim has acknowledged the breach and is cooperating with authorities. According to the Ministry of Health, the incident did not affect state-run infrastructure, but rather a privately-held software provider. The data, spanning between three and fifteen years depending on when the software was installed at individual practices, amounts to “19 million data lines” (with approximately 4 million duplicates). This explains why the number of affected patients far exceeds the number of targeted medical practices.
Crucially, officials have stated that no actual medical documents – such as prescriptions or laboratory results – were compromised. Though, the exposure of administrative data and, for a subset of patients, sensitive clinical notes, presents a significant risk of identity theft, fraud, and potential discrimination. The Ministry of Health has emphasized that it has instructed Cegedim Santé to implement immediate corrective measures. The Commission Nationale de l’Informatique et des Libertés (CNIL), France’s data protection authority, has indicated it will analyze the situation and conduct further investigations if necessary.
Data on the Dark Web and Hacker Claims
The situation took a more alarming turn with the revelation that the stolen data is now accessible on the dark web. A hacking group calling itself DumpSec has claimed responsibility for the breach, stating that a former member subsequently attempted to sell the information, as reported by cybersecurity expert Damien Bancal. This suggests a potential financial motive behind the data exposure. The Ministry of Health has noted that the “only recent element” regarding the cyberattack, which dates back to the conclude of 2025, is the hacker’s claim of responsibility, though the identity and nationality of the perpetrator(s) remain unknown.
France 2 reported discovering “incredibly precise” data on the dark web, including information about patients’ sexual orientation and HIV status, as well as details pertaining to prominent political figures. These claims, if verified, would significantly escalate the severity of the breach and raise concerns about potential blackmail or other malicious uses of the stolen information. The Ministry of Health has not yet confirmed these specific findings but is investigating the matter.
Concerns About Underinvestment in Cybersecurity
The incident has sparked a debate about the level of investment in cybersecurity within the French healthcare sector. Some observers argue that healthcare providers, particularly smaller practices, have historically underinvested in data protection measures, making them vulnerable to attacks. The reliance on private software providers like Cegedim also raises questions about the security standards and oversight of these companies. The Ministry of Health has pointed to Cegedim as being responsible for the data processing and therefore accountable for the security of the information.
This breach is not an isolated incident. In February 2026, it was also revealed that the data of 1.6 million young people followed by local missions and France Travail had been compromised in a separate cyberattack. This highlights a broader trend of increasing cyber threats targeting sensitive data in France and globally.
What Should Affected Individuals Do?
The French Ministry of Health has not yet issued specific guidance to affected individuals, but experts recommend taking the following precautions:
- Monitor your financial accounts: Watch for any unauthorized activity and report any suspicious transactions immediately.
- Be wary of phishing attempts: Cybercriminals may use the stolen data to launch targeted phishing attacks. Be cautious of unsolicited emails or phone calls requesting personal information.
- Review your credit reports: Check your credit reports for any signs of identity theft.
- Report any suspected fraud: If you believe your information has been compromised, report it to the relevant authorities.
The CNIL is expected to provide further guidance to affected individuals as the investigation progresses. The Ministry of Health is also urging anyone with concerns to contact their healthcare provider for advice.
This data breach serves as a stark reminder of the importance of robust cybersecurity measures in protecting sensitive health information. As healthcare increasingly relies on digital technologies, safeguarding patient data must be a top priority for healthcare providers, software companies, and government regulators alike. The investigation is ongoing, and further details are expected to emerge in the coming weeks. The next update from the Ministry of Health is anticipated by March 15, 2026, when they are expected to provide a more comprehensive assessment of the breach and outline further steps to mitigate the risks.
Have you been affected by this data breach? Share your concerns and experiences in the comments below.