French regional healthcare agencies have been targeted by cyber-attacks compromising the personal data of patients across the country.
On September 8, the regional healthcare agencies (ARS) for three regions, Hauts-de-France (Upper France), Normandy and Pays de la Loire (Lower Loire), issued security alerts warning about recent cyber-attacks carried out against the servers hosting the identity data of patients from public hospitals in the regions.
All three agencies described a very similar incident with the same impact.
Preliminary investigations have confirmed multiple cyber-attack attempts, conducted over time, against the information systems of at least these three ARS, said the Normandy agency.
According to the Hauts-de-France agency, compromised data includes personally identifiable information (PII), such as patients’ full names, ages, phone numbers and email addresses.
However, at this stage, no healthcare information seems to have been exposed, the three agencies confirmed.
“The compromised accounts have been disabled and additional security measures were immediately implemented to prevent any further unauthorized access of this kind, said the Normandy-based agency.
How Attackers Collected Patients’ PII
These investigations also revealed that unauthorized access was gained through the impersonation of healthcare professionals.
The fraudulent access resulted in the breach of personal data (administrative records) belonging to users.
In practice, unauthorized access to the accounts of healthcare professionals allowed the attackers to access systems managed by regional e-health development support groups (GRADeS).
GRADeS are region-specific institutions that offer healthcare professionals common digital services across the region.
For instance, Normand’e-Santé, the GRADeS for Normandy, has a portfolio of 43 services, including Therap-e, a telehealth digital platform that offers remote medical consultations and emergency appointment services.
According to the French cybersecurity expert Damien Bancal, author of the cyber website Zataz, attackers likely scraped data from patients from these GRADeS-controlled systems.
Phishing Attempts Most Pressing Concern
In its advisory, the ARS Hauts-de-France emphasized that this incident has had no impact on the operations of hospitals in the region or on the region’s digital health services.
“The primary risk associated with these cyber-attacks relates to phishing attempts,” the message reads.
“As a reminder, healthcare professionals or medical/social institutions will never request the transmission of personal information (bank details, social security numbers, passwords, etc.) via email, phone or SMS.”
The ARS Pays de la Loire said it plans to inform every potentially affected patient in the near future.
Finally, Normand’e-Santé has filed reports with the French data protection authority (CNIL) and complaints have been lodged with the relevant authorities.
