Here in France, we’ve just experienced the country’s biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn’t even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it.
Up to 60 fields of personal data per patient are now blowing around in the internet winds. Full name, address, email, mobile phone number, date of birth, social security number, blood group, prescribing doctor, reason for consultation (such as “pregnancy”, “brain tumour”, “deaf”, “HIV positive”) and so on – it’s all there, detailed across 491,840 lines of plain text.
Data journalism couldn’t be easier, and indeed the newspaper hacks have been on the beat, contacting the doctors listed in the file and phoning up some of the patients on their mobile numbers to ask how they feel about the data breach. The doctors knew nothing about it, and of course the patients whose personal info had been stolen – including Hervé Morin, ex-Minister of Defence, as it turns out – hadn’t the faintest idea.
According to an investigation by daily newspaper Libération, warning signs that something was afoot were first reported on 12 February in a blog by Damien Bancal at security outfit Zataz. Some dark web spivs began discussing in Turkish-language channels on Telegram about how to sell some medical records stolen from a French hospital. Some of them then tried independently to put the data on the market and got into an argument that spilled over into Russian-language channels.
One of them, it seems, got pissed off and decided to take revenge by posting an extract of the data publicly. This was rapidly spread around Telegram’s other lesser spivlet channels and soon afterwards ended up being shared on conventional social media.
A closer look at the file reveals that it didn’t come from a hospital after all. It turns out the various dates on the patient records refer not to doctors’ appointments but to when patients had to submit a test specimen: in other words, the data is likely to have been stolen from French bio-medical laboratories conducting the specimen analysis.
Further probing by Libé revealed that the hack may relate to data stored using a system called Mega-Bus from Medasys, a company since absorbed into Dedalus France. Dating back to 2009, Mega-Bus hasn’t been updated and laboratories have been abandoning it for other solutions over the last couple of years. No patient records entered into these newer systems can be found in the stolen file, only pre-upgrade stuff entered into Mega-Bus, apparently.