Five healthcare establishments in the Paris region are affected by the leak of health data from the Aleo Sante group, which could affect thousands of patients, according to concordant sources close to the case.
Of the five clinics or care centres concerned, only two are still in operation, the Parisian clinic Alleray-Labrouste and the private hospital in Thiais (Val-de-Marne), according to these sources.
The three other establishments concerned, the Luxembourg center and the Jeanne d'Arc clinic in Paris, and the Sainte-Isabelle clinic in Neuilly-sur-Seine, are no longer in operation.
The joint management of the Alleray-Labrouste clinic and the private hospital in Thiais has filed a complaint and notified the CNIL (the guardian of French data security), according to a source close to the management.
The affair broke out at the beginning of the week when, on a website selling stolen data, an anonymous user offered for sale the personal data of patients treated by the Aleo Sante group, claiming to have the data of 758,912 people.
According to the hacker, who revealed a sample of the stolen data online, the file put up for sale contains sensitive information: in addition to names, first names, email and postal addresses and dates of birth, medical information such as the identity of the treating physician or prescriptions would be particularly affected.
Once the alert was raised, investigations showed that the data had been stolen via the usurpation of access (by username and password) to the common platform for managing patients' medical records used by the five establishments concerned.
Investigations are ongoing to determine exactly how many people had their data stolen, with estimates currently based solely on the hacker's allegations.
According to a source close to the case, Aleo Sante has so far identified around fifteen people whose data was stolen and is in the process of notifying them.
As of Friday, the Paris prosecutor's office had not been notified of this case.
Since the beginning of the week, several companies have been victims of data leaks.
Le Point magazine has confirmed that its readers have been affected, without revealing the number. The Paris prosecutor's office's cybercrime section has opened an investigation entrusted to the Office against Cybercrime (OFAC), the prosecutor's office said on Friday.
Direct Assurance, a subsidiary of the Axa group, also indicated that 15,000 of its customers were affected.
Their names, first names, email addresses were stolen, as well as their IBAN (international bank account number) for 5,800 of them, the company said.
"We are seeing increasing malicious activity involving the theft of identifiers and sensitive data," a representative of CERT Sante, the sector's cyber watchdog, which is attached to the Digital Health Agency, told AFP.
Companies must be "vigilant" and "strengthen the security" of data access, the same source added.
English 
French