A Paris hospital group has apologised to 1.4 million victims of data theft in Ile-de-France after its online systems were hacked over the summer.
L’Assistance publique-Hôpitaux de Paris (AP-HP), which manages 39 hospitals in Ile-de-France, reported the incident to the police on September 15 after it was discovered on September 12.
Data including identity details, social security numbers, contact details for patients and the medical staff looking after them, as well as Covid test results, were stolen.
No medical details, aside from test results, were taken, the hospital group said
In a statement, l’AP-HP said: “Initial investigations suggest the theft could be linked to a recent security failure of the digital tool for sharing documents acquired by l’AP-HP and stored on our infrastructure.”
The system was used to send data to relevant bodies such as laboratories, l’Assurance maladie, and Agences Régionales de Santé. Use of the tool has been suspended.
In a letter to patients sent on Friday, September 17, l’AP-HP apologised to victims.
It advised them to exercise “the greatest vigilance” to avoid any email, phone and SMS scams that could occur as a result, including “all attempts at fraud and phishing that could come to pass in the coming weeks”.
How do I know if my data has been stolen?
The AP-HP has already contacted 600,000 possible victims of the data theft by email to let them know that their data has been compromised.
A further 800,000 who did not provide email addresses will be contacted by post from today (September 20) onwards.
In the meantime, potential victims could search the dark web themselves to see if their data is up for sale but this is not advised by security experts.
Instead, all people who took Covid tests at an AP-HP hospital in Ile-de-France between the end of spring and the end of summer this year are advised to proceed as if their data may be at risk in the coming days.
What are the risks of this kind of data theft?
“There is a strong chance the data will be resold on the dark web,” Matthieu Diereck, security expert at application services provider F5, told RTL.
“Buyers will not be interested in whether someone tested positive or negative. However, social security numbers are like bank card numbers. They are highly confidential.”
As social security numbers are given at birth, they cannot be changed, making extricating them from scams complicated.
Criminals could use data such as a social security number and corresponding date of birth to falsify documents such as cartes vitales, or to attempt targeted phishing attacks.
Mr Dierick said a victim could receive emails saying that their test, using the exact date and location in which the test took place, “requires them to create an online account in order to get more information”.
Criminals could then resell email and password combinations used to create accounts.
These emails will be a scam, he reiterated.
How can I protect myself?
Potential victims should pay close attention to activity on their social security accounts, and report any unusual activity to l’Assurance maladie by phone on 3646.
They should also be wary of emails, calls and SMS messages asking them to share personal information.
L’AP-HP said: “Pay attention to the sender for electronic messages that you receive, be wary of attachments [in emails], and never give out your bank details.”
People who suspect they have already fallen victim to a scam can complete an official online report, which will direct them to relevant support from the authorities.
They can also contact l’AP-HP directly for assistance and information via email at firstname.lastname@example.org.