Hacking the health data of 500,000 patients: what if it happens to you?

Address, social security number, blood group, treatments, illness… As AFP saw on Tuesday February 23, a file containing the sensitive medical data of nearly 500,000 people in France is circulating on the internet. The newspaper Release and the specialized cybersecurity blog Zataz are the first to spot the leak. The prosecution has just opened an investigation.

“Individuals can file a complaint”

491,840 names are associated with contact details (postal address, telephone, email) and a social security number. Indications also sometimes appear on the blood group, the attending physician, the mutual insurance company, the state of health (including a potential pregnancy), the drug treatments, or the diseases (in particular HIV).

What if this happens to you? “Individuals can file a complaint. Afterwards, the investigation will have to determine what the source of the leaks is, to see how we can have a right of rectification or a right of withdrawal of data, which the general data protection regulation (GDPR). Then, it is possible to engage the responsibility of the person who processed and hosted the data, by evoking the violation of medical secrecy. In this case, there may be criminal and ordinal complaints, and possible civil liability if it is proven that it has caused harm to the individual. Finally, the CNIL is also able to impose fines, which can go up to 4% of the turnover of medical practices or health establishments. explains Laure Soulier, associate lawyer at the Auber firm, particularly involved in the medical fields.

It should also be noted that employers cannot under any circumstances rely on medical data made public without the agreement of the individual to dismiss him.

What role for medical biology laboratories?

According to Releasethe information would come from around thirty medical biology laboratories, located mainly in the northwest quarter of France. The data would come from samples taken between 2015 and October 2020. During this period, the same software for entering medical-administrative information, published by the Dedalus group, would have been used by the laboratories caught in the turmoil.

“We have no certainty that it is only Dedalus France software that is at issue in this case”, Deputy CEO Didier Neyrat told AFP. “We have set up a crisis unit because we take this seriously and we will work in partnership with our customers to understand what happened”, he continued.

Secure medical data as much as possible upstream

According to Damien Bancal, a cybersecurity journalist who first identified the leak on February 14 on his blog Zataz, this medical information was the subject of a commercial negotiation between several hackers on a Telegram group specializing in the exchange of stolen databases. One of them would have broadcast them on the Web following an argument. “500,000 data is already huge and nothing prevents us from thinking that hackers still have a lot more”, he warned on AFP.

The computer systems of the hospitals of Dax and Villefranche-sur-Saône (Rhône) have also recently been hacked. To limit the damage of such events, Laure Soulier advises healthcare professionals to secure medical data as much as possible upstream. “Everything must be done to ensure that there is an optimal level of security, particularly at the server level. Insuring against cyber attacks is also important”, believes the lawyer. Once the damage is done, “We must above all not give in to ransom demands. Then, we must make declarations to the CNIL (there is a 72-hour deadline). We must also inform as soon as possible the people who have been identified on the Web, and file a complaint. And, depending on the specialty of the doctor, it is important to contact his insurance company right away”, concludes Laure Soulier.