Undisclosed French hospital exposes thousands of patient data

November 22, 2024
Undisclosed French Hospital Europe Healthcare Security Breach Cyberattack

A recent cyberattack against an undisclosed French hospital has resulted in a data breach that compromised the medical details of approximately 750,000 patients.

The exposed data occurred after the threat actors allegedly accessed the healthcare institution’s electronic patient record system. In addition, a threat actor named ‘nears’ claims to have hacked various healthcare facilities in France, claiming access to over 1,500,000 patient records.

The hacker alleges that it infiltrated MediBoard by Softway Medical Group, which provides Electronic Patient Record (EPR) solutions across Europe.

Softway Medical Group has confirmed that hackers had accessed its MediBoard account. However, it stated that this was not the result of a software vulnerability or misconfiguration; instead, it was the hospital’s use of stolen credentials.

Additionally, the affected entity assured that it was not their software but a person who used the solution’s standard functions to penetrate a privileged account within the client’s infrastructure that was to blame.

The investigation quickly backed the theory; hence, the incident was unrelated to software implementation issues or human error.

 

The selling of the stolen data against the undisclosed French hospital has sparked an uproar of speculations.

 

The cybersecurity breach at the undisclosed French hospital resulted in the attackers selling what they claimed to be access to the MediBoard platform to several French-based healthcare institutions.

This access would purportedly allow the buyer to read the hospitals’ sensitive healthcare and financial information and patient records and schedule and amend appointments or medical records.

Furthermore, the hacker auctioned off the records of the alleged 758,912 patients from the undisclosed French hospital to prove the legitimacy of their access to the MediBoard accounts.

These documents supposedly contained details, including essential data, such as full name, date of birth, gender, home address, telephone number, email address, physician, prescriptions, and health card history.

The hackers have made the data available for purchase to three users, and no buyers have yet been identified on the sale page. Still, the researchers see risk in these postings even if the data is not sold since it could be leaked online for free, exposing it to the rest of the cybercrime community.

Therefore, potentially affected individuals should be ready for unsolicited communications as the data types affected by the incident could result in phishing, scamming, and social engineering attacks.

About the author