The personal data of around 1.4 million people, who tested for Covid-19 in Ile-de-France in mid-2020, have been stolen by hackers. They could have been collected thanks to a flaw in a data transmission service managed by the AP-HP.
Fromattacked, the appointment scheduling service hacked, medical data leaks and huge security breaches … , the security of medical-related IT systems is undermined and these infrastructures present a prime target for hackers. Yesterday, it was the Assistance Publique-Hôpitaux de Paris (AP-HP) which communicated about an attack suffered during this summer: an intrusion into the body’s systems which led to the theft of a file containing the personal data of 1.4 million people. These are patients located in Ile-de-France who have undergone a from in mid-2020. The data collected includes the identity, social security number, contact details of the people tested and that of their attending physician. However, no medical data was stolen, apart from the result of the screening test.
After confirmation, on September 12, of this attack, the health organization explains in its , which he complained to the Paris prosecutor on Wednesday. An equivalent complaint was also filed by the Ministry of Health.
A security breach on a third-party service
Once again, there was a weak link. As in the absence of data protection concerning 700,000 patients also screened thatlately, it was the vulnerabilities of a third-party service that allowed hackers to retrieve personal data. Like this case, it is still not the national file of screening tests ( ) that was targeted, but a secure file-sharing service. This would have been used very occasionally in September 2020 due to difficulties encountered temporarily with the SI-DEP platform in the transmission of data. The third-party tool was therefore used to send the Health Insurance and regional health agencies (ARS) useful information for the follow-up of contact cases. In its press release, the AP-HP underlines that the people concerned by this data theft will be contacted in the coming days.
On, the AP-HP had already suffered a violent , but the hackers’ ambition was not necessarily the end goal, but the start of a long campaign that may have collected this data.