French regional health agencies have recently fallen victim to coordinated cyber-attacks, resulting in the exposure of patients' personal information nationwide.

On September 8, the regional health agencies (ARS) of Hauts-de-France, Normandy, and Pays de la Loire issued security alerts regarding breaches targeting servers containing identity data of public hospital patients. All three agencies reported nearly identical security incidents with similar consequences.

Investigations indicate these were not isolated events, but rather a series of sustained attacks against the information systems of multiple regional health agencies. The Normandy agency confirmed that compromised data includes personally identifiable information (PII) such as patients' full names, ages, telephone numbers, and email addresses. Importantly, all three agencies confirmed that medical records and clinical information appear unaffected at this time.

The Normandy agency reported that compromised accounts have been deactivated and enhanced security measures were promptly implemented to prevent similar unauthorized access.

The breaches occurred through attackers impersonating healthcare professionals to gain entry to digital systems. Once inside, they accessed administrative records containing personal data through systems managed by regional digital health support groups (GRADeS). These organizations provide shared digital services for healthcare providers across their respective regions.

For example, Normand'e-Santé, Normandy's GRADeS, manages 43 digital services including Therap-e, a telehealth platform for remote consultations and emergency appointments. According to French cybersecurity expert Damien Bancal of Zataz, attackers likely extracted patient data from these GRADeS-managed systems.

The ARS Hauts-de-France emphasized that hospital operations and digital health services remain unaffected. The primary concern currently is potential phishing attempts targeting affected individuals.

The agency reiterated that legitimate healthcare providers will never request sensitive information such as banking details, social security numbers, or passwords via email, phone, or text message.

The Pays de la Loire agency announced plans to directly notify all potentially impacted patients. Meanwhile, Normand'e-Santé has reported the incident to France's data protection authority (CNIL) and filed formal complaints with appropriate judicial authorities.