The stolen files include the names of 491,840 patients, their contact information as well as confidential medical information and even their password, according to French newspaper Libération.
The document, containing addresses, phone numbers, email addresses and social security numbers, was initially shared on hacker forums and dark web sites.
For some patients the information includes their blood type, personal doctor or insurance company, and even notes on their health condition and medical treatments.
According to Libération, which investigated the leak, the data was taken from around 30 medical laboratories, mostly located in north-western France, that were all using the same software to collect their patients’ data.
🔴[Info Libé] Des données confidentielles de 500 000 patients français dérobées à des laboratoires d’analyse médicale et diffusées en ligne. L'équipe de @CheckNewsfr a retrouvé l’origine d’une fuite de données liées à la santé d’une ampleur inédite en France. ⚕️ (1/4)
— CheckNews (@CheckNewsfr) February 23, 2021
It corresponds to samples taken between 2015 and October 2020.
The database was first identified on a website called Zataz about two weeks ago. It was the subject of commercial negotiations between hackers specialising in exchanging stolen data, the newspaper reported.
The Commission nationale de l’informatique et des libertés (CNIL), the administrative regulatory body in charge of data privacy law, launched an investigation on Wednesday, according to AFP.
Several French hospitals have in recent weeks been the subject of cyberattacks and a €1bn package of measures has been announced to address the attacks – some of which are criminal and some seem to be politicial.
#Violation de données de santé ⚠🎴 La CNIL rappelle les obligations des organismes à la suite d’une fuite de données massive annoncée dans les médias 👉 https://t.co/TerUYDGnf9 pic.twitter.com/7nnrBE5fDD
— CNIL (@CNIL) February 24, 2021
If the extent of the leak is confirmed, it would constitute “a particularly grave one”, considering the number of victims and the sensitivity of the information, the secretary general of the CNIL Louis Dutheillet told AFP.