A cyberattack on a French hospital exposed 750K patient records, highlighting severe data privacy risks and vulnerabilities in healthcare cybersecurity

Continue reading
The medical records of approximately 750,000 patients at an unnamed French hospital were exposed following a threat actor’s successful intrusion into its electronic patient record (EPR) system. This breach has far-reaching implications for data privacy, healthcare cybersecurity, and patient safety, highlighting systemic vulnerabilities in handling sensitive medical information.
A cybercriminal known as 'nears' (formerly 'near2tlg') claimed responsibility for the attack, boasting of access to over 1.5 million patient records across multiple healthcare facilities in France. The hacker specifically targeted MediBoard, a widely deployed EPR solution by Softway Medical Group, which serves numerous healthcare institutions across Europe.
Despite initial concerns about the software's integrity, Softway Medical Group confirmed that the breach was not due to a flaw in MediBoard itself but rather stemmed from the misuse of stolen credentials tied to a privileged account within the affected hospital's infrastructure.
November 19, 2024: The cyberattack was detected within the hospital's MediBoard system.
November 20, 2024: Softway Medical Group clarified the breach origin, distancing their software from direct responsibility.
November 21, 2024: Further investigation revealed that all compromised hospitals were part of the Aléo Santé healthcare group.
The stolen data, now offered for sale on dark web forums, includes highly sensitive and personally identifiable information (PII):
Full Name
Date of Birth
Gender
Home Address
Phone Number
Email Address
Physician Details
Prescriptions
Health Card History
Such data, if exploited, could lead to targeted phishing campaigns, identity theft, and other malicious activities, further endangering affected individuals.
The attacker's modus operandi reveals a sophisticated understanding of healthcare systems and cybersecurity:
The hacker claimed to provide buyers with administrative access to:
Patient healthcare and billing records.
Appointment scheduling and modification systems.
Sensitive operational data of multiple hospitals, including Centre Luxembourg, Clinique Alleray-Labrouste, Clinique Jean d'Arc, and others.
In an official statement to media outlets, Softway Medical Group emphasized:
The breach was not due to any inherent vulnerability or misconfiguration within their MediBoard software.
A privileged account within the hospital's infrastructure was exploited by the attacker.
They continue to work closely with impacted healthcare institutions to mitigate the fallout.
> _"We can confirm that our software is not responsible, but rather, a privileged account within the client’s infrastructure was compromised by an individual who exploited the standard functions of the solution."_
The connection to Aléo Santé underscores a systemic weakness within the group’s centralized infrastructure. With multiple hospitals using MediBoard under the same administrative framework, compromising a single privileged account granted the attacker sweeping access to all affiliated entities.
This interconnected nature of healthcare IT systems, while improving operational efficiency, also creates a high-value target for cybercriminals, amplifying risks from a single point of failure.
For Affected Patients
The exposure of such sensitive data increases risks of:
Phishing Attacks: Cybercriminals can impersonate healthcare providers to extract further information or financial details.
Social Engineering: Fraudsters may exploit the data to manipulate victims.
Identity Theft: Misuse of PII for financial or legal fraud.
Regulatory Penalties: Violations of GDPR could result in significant fines and reputational damage.
Operational Disruption: Unauthorized access to appointment systems and medical records could impact day-to-day functions.
Erosion of Trust: Patients may lose confidence in the institution’s ability to protect their data.
Segregate Access: Minimize interconnected privileges across multiple entities under a shared framework like Aléo Santé’s.
Limit Privileged Access: Employ a zero-trust model, granting users access only to necessary resources.
Anomaly Detection: Deploy advanced monitoring tools to identify unusual activity within EPR systems.

A third-party software flaw inside one of Japan's largest telcos exposed login credentials for up to 14.2 million email accounts across six ISPs. The passwords? Some were hashed. Some may not have been