The "administrative data" of some 15 million French people, as well as comments written by their doctors, were the subject of a massive leak during a cyberattack that targeted 1,500 doctors using software from the company Cegedim Santé, the Ministry of Health admitted on Friday.
While this leak mainly concerned data such as patients' names, surnames, telephone numbers or postal addresses, it also involved, for 169,000 of them, free annotations entered by doctors, "some of which may be sensitive data", or "11% of cases", the ministry specified during a press briefing.
The hack involved "19 million computer entries" (including 4 million duplicates) contained in a database with "between 3 and 15 years of history, depending on the date the software was installed in doctors' offices." This explains why it contains the data of millions of patients, far more than the information entered by 1,500 doctors, the ministry explained.
"No health documents have been released, nor prescriptions, nor results of biological tests," the same source stated, while admitting that it did not have "comprehensive visibility on the extent of the administrative data" stolen.
For the ministry, the only new development regarding this cyberattack, which "dates back to late 2025," is the "claim of responsibility by the hacker," whose "identity" and "nationality" are currently unknown. A hacker group called DumpSec claimed responsibility for the theft of this data, explaining that "a former member" had subsequently "decided to resell some of the information," reports cybersecurity expert Damien Bancal on his website.
When contacted by AFP, the French Data Protection Authority (CNIL) stated that it was "not able, at this stage, to confirm the extent of the alleged breach." It will analyze "these revelations carefully and will conduct investigations if necessary."
According to France 2, which broke the story Thursday evening, it claims to have found "very precise" data on several patients—including their homosexuality and whether they were HIV-positive—in the leak. Information on prominent political figures is also reportedly included, according to the public broadcaster.
On Friday, the Ministry of Health told AFP that it had instructed Cegedim Santé, a major player in the medical data management sector in France, to "immediately implement" corrective measures after this cyberattack.
This company filed a complaint on October 27, 2025. "Employees reported receiving extortion emails claiming that several thousand personal data had been hacked," the public prosecutor's office reported on Friday.
– “Personal notes” from doctors –
A major player in the medical data hosting sector in France, Cegedim Santé - a subsidiary of Cegedim - admitted on Friday that it had been the victim at the end of 2025 of a cyberattack that targeted 1,500 practitioners out of the 3,800 doctors using its MLM software.
For Cegedim, the hacked data comes "exclusively" from the patients' administrative file (name, surname, sex, date of birth, telephone number, etc.) which could however contain, for "a very limited number" of them, "personal annotations from the doctor concerning sensitive information".
The company assured that "the structured medical records of the patients remained intact."
– “Underinvestment” –
The ministry, for its part, pointed to the responsibility of the "private service provider responsible for data processing," insisting that this leak "results neither from a failure of the ministry's systems, nor from an infrastructure under" state control.
But "health data has a very strong emotional dimension, because it touches on people's intimacy," Nicolas Arpagian, strategy director at Jizô AI, told AFP.
For Gérôme Billois, a cybersecurity expert at the consulting firm Wavestone, the "very serious" leak, which could be "the biggest in France" in the health sector, will have "irreparable consequences." Because "once health information that says: 'You have AIDS' or 'you have such and such a disease' is out, you can never go back," he told AFP.
He sees this as the consequence of "years of underinvestment in cybersecurity" in healthcare.
Agnès Giannotti, the president of MG France – the main union of general practitioners – acknowledged on France Inter on Friday "a real concern for trust and safety for patients and for the penalization of our practice".
In September 2024, the CNIL fined Cegedim Santé 800,000 euros for processing health data without authorization.
jt-ref-cra-pgr-clw-mng/ito/swi
English 
French