France’s privacy watchdog said it’s investigating the leak of sensitive health data on half a million people and said the companies involved could face heavy penalties if they don’t come forward with details of the breaches.
The leaks were of “particularly significant magnitude and severity,” the CNIL said in a statement. Hackers may have infiltrated software made by Dedalus France that was used by medical testing laboratories, according to press reports.
The privacy watchdog cited media reporting on the incidents and said the companies should have notified it of the breaches within 72 hours. It said the individuals affected should also be informed. It was unclear if the victims had been informed as the CNIL reacted to the leaks.
A first mention of the data set popped on the darkweb on Jan.31 and later by another anonymous account on Feb.4. The extensive document was published on Feb. 12 under the mention “500,000 French hospital records” and it was shortly after posted other darweb sites sites, including a Russian forum, according to a CybelAngel white paper on the leaks.
Online tech newsletter Zataz first reported the breaches on Feb. 14.
“This is most serious leak of personal, intimate health data we’ve seen on the darkweb so far,” said David Sygula, a senior analyst at CybelAngel, a cyber security firm. “The data was released in one file this month, we believe.”
The leaks lasted from 2015 until October 2020 and garnered data including blood groups, sexual transmissible infections status, pregnancies, social security numbers, and other information, according to Sygula. The list includes information on about 488,000 patients, he added.
Dedalus, an Italy-based group, said “the origins and cause of the leaks are unknown.” A spokeswoman for the company said it was probing the incident including with unnamed contractors. Dedalus said the software was no longer sold by the company since 2019 and it had stopped maintenance.
Macron Rushes to Shore Up French Cyber Defenses After Attacks
France has been targeted by multiple attempts to hack its medical systems in recent months, including two ransomware-type attacks that disrupted important regional hospitals this month. French President Emmanuel Macron said cyber defense would become “a priority” of his administration.
“The number of attacks and leaks on health operators in France at the moment is insane. The vulnerability of the targets seems to be the common denominator,” Sygula said.
French cybersecurity agency ANSSI said “The necessary recommendations were given by the ANSSI to deal with the incident.”
(Updates to add analyst report, software company comment.)