When we think about our data being leaked onto the internet, we often picture it as our financial records, our passwords, our names and addresses... what is less often considered is the exposure of our private medical information.
A French hospital has found itself in the unenviable position of learning that hackers have gained access to the medical records of over 750,000 patients following a cyber attack.
A hacker calling themselves "nears" claims to have compromised the systems of multiple healthcare facilities across the country, claiming to have gained access to the records of over 1.5 million people.
According to "nears", the security breach was made possible after they gained unauthorised access to Mediboard, an electronic patient record (EPR) system used by many hospitals across Europe.
Softway Medical Group, the developers of Mediboard, has confirmed that a malicious hacker did succeed in compromising a Mediboard account but declared that the security breach was not the result of a misconfiguration or software flaw but instead through the theft of login credentials used by the unnamed hospital.
In a letter shared with French journalists, Softway Medical Group said the attack was detected within a healthcare facility using Mediboard on November 19 2024, and emphasised that the stolen data was not hosted by Softway.
As Bleeping Computer reports, the purported stolen records of 758,912 patients includes:
- Full names
- Dates of birth
- Gender
- Home addresses
- Phone numbers
- Email addresses
- Physician details
- Prescription histories
- Health card usage information
Posting on an underground website, "nears" has offered for sale access to the Mediboard platform for other hospitals in France, claiming that purchasers would be able to view sensitive healthcare and billing information, schedule appointments, and modify patient records.
At the time of writing, there is no evidence that anyone has purchased the data, although the hacker claims to have shared records with three potential buyers.
There are clearly serious risks from sensitive information like this falling into the hands of cybercriminals. The threat that the data could still be leaked online remains (regardless of whether a purchaser is found or not), and patients could potentially be exposed to identity theft, phishing, and social engineering attacks from fraudsters and scammers.
Make sure to read about Tripwire's advice and solutions for helping healthcare institutions protect patient data and ensure compliance with regulatory standards.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
