Confidential medical data from almost 500,000 people in France has been stolen and released online, it was revealed yesterday.
Sensitive information, including the names and contact details (such as phone numbers, postcodes and addresses) of 491,840 people in France have been released, an investigation by news source Libération and cyber-security blog Zataz found.
Identifying information was sometimes accompanied by details of people’s blood group, social security number, birth date, GP, health insurance provider, medical treatments, illnesses (including instances of HIV) and health updates including confirmation of pregnancies.
Data now available online
The data, covering a period from 2015-October 2020, was reportedly stolen from around 30 medical laboratories in north west France.
Damien Bancal, the Zatav journalist who uncovered the story on February 14, told AFP: “You can already find the files in seven different places online.”
He said hackers that specialise in sharing stolen data had been in possession of the files and were intending to sell the information, until it was released publicly by one hacker after a disagreement.
He said: “500,000 data points is already huge, and we have no reason to doubt that the hackers have many more in their possession.”
Software provider investigating
All of the laboratories that had data stolen were using software created by the specialist healthcare provider Dedalus.
Didier Neyrat, chief operating officer at Dedalus France, told the Agence France-Presse: “We are not certain that the sole reason for this incident was Dedalus software.”
But, he added: “We have set up a crisis cell group as we are taking this seriously, and we will work in partnership with our clients to understand what has happened.”
National digital security agencies l'Agence nationale des systèmes d'information and le gendarme des données personnelles, and health body la direction générale de la santé, are yet to comment on the incident.
One of multiple incidents this year
This is not the first breach of digital security concerning French health organisations in the past year.
On February 19, 2021, the health ministry said that confidential data concerning 50,000 doctors and medical staff in France was being sold in an online cybercrime forum, including usernames and passwords.
And Cédric O, junior minister for digital affairs, said last week “there have been 27 cyberattacks on hospitals in 2020 and since the beginning of 2021”.
Two attacks on hospitals in Dax and Villefranche-sur-Saône on February 8 and 15, 2021, completely disabled internal systems.
Bug blamed for banking app malfunction
It comes as the LCL bank has confirmed that a bug, rather than a cyberattack, was responsible for issues with its banking app, which affected hundreds of clients yesterday evening.
The bug, which occurred during an update of the app, meant that some clients who accessed the app between 17:40-18:40 were able to see banking details for other clients, rather than their own.
The bank said in a letter to AFP that the information did not allow clients to identify people whose data was revealed.
But one user wrote on Twitter: “I am shocked. Connecting to the LCL app I have access to someone else’s accounts – Caroline - [I can see] what she has spent, all of her accounts, how much she has saved… what is happening with your security LCL?”
Je suis choquée. En me connectant sur mon app @LCL j’ai eu accès aux comptes de quelqu’un d’autre, une certaine Caroline, ses dépenses, tous ses comptes, son épargne avec les montants Euuuuh ça se passe comment niveau sécurité @LCL ???— Alexia Toulmet (@atoulmet) February 23, 2021
The user said that after logging out of the app, completing an update and logging back in, the app returned to normal. But she said: “I don’t want anyone to have access to my accounts. Even for 10 minutes.”
The bank said that while 72,000 clients used the app in the affected time frame, “the incident only affected a few hundred people”.
It added: “In no case was it possible to complete transactions from accounts which were incorrectly shown, nor to access information about account holders.”