For several weeks, the medical data of 500,000 French patients have been circulating on the web. Private information was therefore disclosed such as the name, first name, address, social security and mobile number of the insureds as well as the name of the attending physician. They also give details of the patient's state of health such as possible pregnancy, prescribed treatments, HIV status or disability.
Confidential information stolen from laboratories
The existence of this file was revealed by Damien Bancale, a specialist journalist, on his website Zataz on February 14th. This sensitive information base has been distributed free of charge on the Internet. It was therefore not sold by a hacker. "As far as I know, at least four hackers have sought to market them. But they argued publicly on several Telegram channels. In revenge, one of them released at least one clip ", explained the specialist to our colleagues from Release. These private medical data, now freely accessible, have therefore lost their financial value.
This large-scale hacking could therefore increase the risks of identity theft, false prescriptions and fraudulent messages targeting the health problems of recipients. According to a survey by CheckNews (Liberation), these medical data do not come from hospitals or general practitioners' offices, but from medical biology laboratories. About thirty structures have been targeted by hacking. They are located in Morbihan, Eure, Loiret, Côtes d´Armor and Loir-et-Cher.
Data breach: is it possible to hack other personal information?
What do these medical analysis laboratories have in common? They all used Dedalus, a software for entering medical-administrative information. The data disseminated correspond to the dates of samples taken from 2014 to 2020.
In his investigation, CheckNews also pointed out that the identification passwords in the file were chosen by patients and were not assigned by medical testing laboratories. Insureds could go to "patient areas" to obtain their test results. These passwords can therefore be used to access other data such as banking information, social networks or business emails.
How do I know if I am part of the file?
In a statement, the National Commission for Information and Freedoms (Cnil) indicated that it "is currently carrying out checks to officially confirm the availability of the file". She also recalled the obligations of organizations in the event"data breaches of significant magnitude and severityThe latter must in particular notify victims of the leak of their data within 72 hours of becoming aware of it. When the leak presents significant risks to rights and freedoms, companies must also inform the persons concerned. of the distribution of their personal information.In the case of this hack, the medical biology laboratories did not contact their patients at the time of the disclosure of the file.
At this time, there is no way to access the file to verify whether you are there or not. Potential victims of hacking must therefore be careful and watch out for fraudulent messages and / or emails. "The critical point in this matter is that this is genuine data that cannot be changed like changing a password after a hack. We will have to make people aware of the fact that this information circulates and can fuel sophisticated phishing operations and identity theft. ", said Nicolas Arpagian, cybersecurity expert and teacher at the École de Guerre Économique in RTL.
On Wednesday February 24, the cybercrime section of the Paris prosecutor's office opened an investigation for "fraudulent access and maintenance in an automated data processing system "and" fraudulent extraction, possession and transmission ". The European General Data Protection Regulation provides for fines ranging from 2% to 4% of turnover and up to 20 million euros for this type of crime. Those responsible for the offense also face a potential prison sentence of 5 years and a fine of 300,000 euros.
Read also :
⋙ 5 tips to keep your smartphone as secure as possible and avoid data collection
⋙ How to secure digital data when going on vacation?
⋙ 3 tips from cybersecurity experts to protect your digital data