Cyberattack in health: hacking administrative data from 15 million French
15.8M
Designed French
1 500
Impacted doctors
169K
Sensitive annotations
Source: France 2, Franceinfo, AFP, Ministry of Health — February 2026
The facts: what happened? Cegedim Santé: Who is this company?
Cegedim Santé is a subsidiary of Cegedim, one of the leading French medical software publishers. Its MLM solution (MonSoftwareMedical.com) was equipped with 3,800 general practitioners and specialists, as well as some 25,000 medical offices and 500 health centres, according to CNI estimates.
3800
Equipped doctors
25K
Medical offices
500
Health centres
- In short: a company at the heart of the digital management of millions of patient files in France.
Timeline of the incident
How did the attack take place?
This is not a spectacular intrusion by gross force. The hackers exploited medical accounts to send abnormal queries to the MLM software database. This technique, discreet and targeted, made it possible to extract 19 million data lines — of which 4 million duplicates — representing a history ranging from 3 to 15 years depending on the firm.
- The hacker, contacted by France 2, claims to have reported the flaw to Cegedim Santé before proceeding with the exfiltration — without ever receiving an answer. He claims that he only published part of the database. His identity and nationality remain unknown to date.
What data was stolen?
The contract signed with the claimant must contain the following cyber security elements:
Medical annotations (169,000 cases) For 1% of patients, free comments from physicians were also presented. These annotations may contain very sensitive information: Sexual orientation, Situations of violence, Addictions, Personal intimate information
- Important Cegedim Santé states that structured medical records (prescriptions, biological examination results, reports) have remained intact. However, the fact that medical annotations were in the section « Administrative » files raise serious questions about categorization and protection of sensitive data.
Why is it particularly serious?
Combined, these data form a very detailed personal profile. Unlike a password leak, you cannot « change » its name, date of birth or telephone number. This information can be used indefinitely by cyber criminals.
Longer-term risks
• Identity assurpation
• Singing (for 169 000 with annotations)
• Resale data on the dark web
- Background : In September 2024, CNIL had already fined Cegedim Santé €800,000 for processing health data without authorization. This new case comes in a context of enhanced surveillance of the sector.
Lessons from this incident
For patients
This incident reminds us that our medical data are valuable and vulnerable, even when entrusted to health professionals. As patients, we have the right to be informed promptly in case of a leak and to ask our doctors what data is entered in our records. — including in fields « free ».
For healthcare professionals
Physicians are responsible for the data entered into their software. The CEGEDIM incident raises the crucial issue of educating practitioners about cybersecurity: what should be noted in a free commentary? These issues must now be part of the ongoing training of health professionals.
For medical software publishers
The cyber attack highlights the responsibilities of technology providers. Despite a CNIL fine in 2024, Cegedim Santé had not yet sufficiently secured its systems. The ministerial program has begun to move things, but city medicine remains a poor parent of cybersecurity.
For any information or recall request
We will reply as soon as possible
