An undisclosed French hospital appears to have suffered a significant data breach, exposing the medical records of 758,912 patients. The incident, originally reported by BleepingComputer, occurred when a cybercriminal gained access to the hospital’s electronic patient record (EPR) system. A threat actor using the cyber nom de guerre “nears” claimed responsibility for the attack on Breachforums, adding that they also had access to an additional 1.5m records following similar strikes on other online medical platforms.
In the case of the as-yet-unnamed French hospital, the hacker claimed to have targeted MediBoard, an EPR solution provided by French company Softway Medical Group, which is widely used across Europe. Softway Medical Group confirmed that the attacker compromised a MediBoard account but emphasised that the breach did not result from a flaw in its software or misconfiguration on its part. Instead, stolen credentials belonging to the hospital were used to gain unauthorised access.
Following the breach, the cybercriminal reportedly began selling access to the MediBoard platform for several French hospitals, including Centre Luxembourg, Clinique Jean d’Arc, Clinique Saint-Isabelle, Clinique Alleray-Labrouste, and Hôpital Privé de Thiais. The advertised access would purportedly allow buyers to view sensitive healthcare and billing information, modify patient records, and even schedule appointments.
Softway Medical Group denies fault in the breach
In a statement to French media, Softway Medical Group clarified its role in the incident, saying the exposed data was hosted by the hospital, not the company. “On November 19, 2024, a cyberattack was detected within a healthcare facility using the Mediboard software,” the company stated. “We want to emphasise that the affected health data were not hosted by Softway Medical Group.”
To verify their claims, the hacker allegedly listed the records of 758,912 patients from one unnamed French hospital for sale. The compromised data reportedly includes full names, dates of birth, gender, home addresses, phone numbers, email addresses, physician details, prescriptions, and health card histories.
The stolen data has reportedly been offered to three potential buyers, though no sale has been confirmed. Even if the data remains unsold, the risk of it being leaked online for free remains high, potentially exposing affected individuals to phishing scams, identity theft, and other forms of cybercrime.
Last month, French internet service provider (ISP) Free reported that hackers breached its systems, resulting in the theft of customer data. The ISP informed both the National Agency for the Security of Information Systems (ANSSI) and the National Commission for Information Technology and Civil Liberties (CNIL) of the cyberattack.
Read more: Equinox faces cybersecurity breach impacting client and staff health data
