Hospital officials said on Wednesday the theft affects around 1.4 million people who took tests in the greater Paris Île-de-France region in the middle of 2020. The identities, social security numbers and contact details of patients were stolen, as well as their test results.
It’s the latest in a string of high-profile hacking cases concerning personal data in France this year.
“One issue in recent years has been that businesses, administrations and associations haven’t put in place systems to detect data leaks. You only realise data has been stolen once it’s too late,” data protection expert Denis Jacopini told The Local.
“It’s as if you had no way of knowing your car has been stolen, because it’s not your car that’s been stolen, but a copy of your car. Either you find traces of this copy on the dark net, or the hackers claim responsibility. But there’s no certainty about when it was stolen, or what was stolen.”
(article continues below)
See also on The Local:
So how worried should you be if you happened to take a Covid-19 test in the Paris region last year?
“There’s a lot of information in the database that can be used to steal someone’s identity,” Jacopini said.
“From the moment I have a name, date of birth, address, email address, phone number, there are a lot of services which ask for this information to check it’s you. From the moment I have this information for a whole population, I can pretend to be whoever I want. I can do administrative procedures, call your bank and have far more sensitive information because they’ll believe it’s you.”
He added: “The uses are practically infinite.”
For those people whose test result was positive, Jacopini warned there is a risk this information could potentially lead to discrimination, if it is used to refuse access to health insurance, bank loans, or other services.
There’s precedent in France
This isn’t the first time testing data has been leaked during the pandemic. On August 31st, Mediapart revealed that the names, dates of birth, addresses, email addresses, phone numbers, social security numbers and test results of 700,000 people were easily accessible online, due to security flaws in private company Francetest’s software.
Scammers could use this information “to send emails or text messages and make their scams more credible,” cybersecurity specialist Mohammed Boumediane told Midi Libre at the time. “If I receive an email or text stealing the social security graphics, and then there is my social security number or a reference to my last test result, I’m more likely to fall into the trap.”
More generally, Boumediane added, “We’ve recently noticed that lots of health establishments are using very old software, rarely updated, and so very exposed to attacks,” .
In February, the medical data of 500,000 people was taken from 30 medical laboratories in northern France and shared on hacker forums and dark web sites.
If stories like this are often in the media in France, Jacopini said this could be because, “Generally speaking, the French are known for being more naive and less aware of the risks than elsewhere.”
According to Omar Gaouar, cybersecurity expert and professor at the Institut national des sciences appliquées in Lyon: “Data theft is very common and often we don’t even know about it because organisations don’t mention it.”
The Covid pandemic has seen an explosion in the amount of personal data that is kept online, from test results to the health pass.
“For the health pass, the risk is limited, because you can’t read much [from it],” Gaouar said. “Tests on the other hand are held by labs, which can be the object of cyber attacks.”
But it’s not just health data; for several years now, the French state has been moving more of its processes online.
Everything from applying for a driving licence to renewing your residency card can now be done remotely, for the most part. Earlier this month, the Interior Ministry reported that the online platform used for applying for French visas had been targeted by hackers.
So should you be worried about the information you’re giving away?
“Everything that’s done remotely without physical checks will encourage fraud and identity theft,” Jacopini said.
“Access to these services often uses a username and password,” Gaouar said, “and we can’t say everybody is well aware of the need to have a strong password.”
As part of efforts to simplify bureaucracy and make people’s lives easier, people in France can even access over 900 services online using a single user ID, thanks to the France Connect system.
“France Connect is a master key,” Jacopini said. “If you give this magic key to someone, following fishing attacks, it will allow them to access all of the services accessible with this key.”
You will however receive an email every time France Connect is used to log into one of these services, so it should be easy to know if you’ve been a victim of fraud.
How to protect your personal information
It’s much easier to prevent identity theft than to deal with the consequences once it’s happened. The French government has a website dedicated to advice on how to avoid falling victim to cybercrime.
If your data has already been stolen, “it’s too late to go backwards,” Jacopini said. “However, it’s very useful to know the details of what information was stolen, to know which of these can be deactivated (bank card, RIB…)”
He then recommends filing a complaint with the police so that there is a record of the theft, in order to “more easily protect yourself in case of identity theft”.
There are also steps everybody can take to protect their data.
Gaouar recommends “not browsing regularly on exotic websites, doing a security check up at least once a week” on your computer or smartphone, and “not clicking on links or attachments in emails or messages unless you’re absolutely certain”.