Cyberattacks & Hospital Health Data
In early September, the APHP-Hopitaux de Paris was the victim of a computer hack that resulted in the theft of more than 1.4 million people’s data related to Covid screening.
The data involved is particularly sensitive, as it relates to the health sector: last name, first name, date of birth, gender, social security number, contact information, postal address, email address, or telephone number, characteristics, and test results.
It should be noted, however, that no other medical information is included in these listings. The stolen files relate almost exclusively to tests carried out in mid-2020 in the Île-de-France region. However, the issues and implications regarding health data remain extremely serious.
Background: Theft of medical data related to Covid
The database was stolen from a download platform hosted in New Zealand, access to which was cut off on September 14, two days after the intrusion was discovered.
According to the APHP, “to transmit to the French National Health Insurance and Regional Health Agencies data from medical biology laboratories useful for monitoring and supporting individuals (contact tracing), this service was used on a very ad hoc basis in September 2020, in addition to the national screening information system (SI-DEP), for which the APHP is responsible for implementation on behalf of the Ministry of Solidarity and Health and which was experiencing technical difficulties with its transmission tools.”
Use of health data and risks for victims
Personal information associated with the hacked account can now be distributed and sold individually or in groups on the internet, particularly the dark web.
This information can also lead to fraud attempts or identity theft for taking out loans or subscriptions. For example, the social security number gives access to the FranceConnect platform, which centralizes more than 800 civil procedures such as taxes, the family allowance fund, or the Health Insurance website.
Finally, phishing attempts, which involve sending people fraudulent emails or text messages, will likely be exploited. Any contact involving the above-mentioned personal data – correspondence from, for example, pharmaceutical companies, hospitals, doctors, healthcare professionals, and public government institutions – may constitute an attempt to hack your data and computer equipment.
Computer Hacking: Actions and Measures to Protect Hospitals
Obliged to directly inform the individuals concerned, the APHP will have notified you of the breach of their information systems. It should be noted that several websites claim to hold the data in question and can identify the individuals concerned.
Public institutions strongly advise against these platforms, some of which are intended to misuse your information for personal purposes.
Technical measures: In the event of a cyberattack, all professionals in the sector recommend, as a precautionary measure, immediately changing the passwords of the targeted users on the various platforms.
To secure their accounts, diversifying passwords and integrating two-step verification via email or text message are encouraged.
Several practical guides and information are regularly updated on existing IT protection measures, password security, etc.
Extended vigilance. It is common for stolen data to be exploited at a significant later date to weaken victims’ vigilance. Public authorities recommend that victims remain vigilant regarding account activity. You can check whether new accounts have been opened in your name via government websites such as the Banque de France or the CNIL.
If you discover unauthorized publication of your personal data, fraudulent use of this data, or attempted fraud, it is important to retain all evidence of these actions, particularly screenshots.
If social media accounts are affected, it is strongly recommended that you directly report the disputed pages, accounts, and messages to the platform moderators.
Complaint and class action: Protection of victims of cyberattacks
As French law does not recognize class actions, victims of the APHP data theft can file individual complaints, claiming the financial and moral damages suffered as a result of this breach. The formation of victims’ associations and the involvement of the CNIL (French Data Protection Authority) in this matter will facilitate, once the identity of those responsible has been established, the award of appropriate compensation.
The proposed offenses, which have already been referred to the Cybercrime Brigade of the Paris Prosecutor’s Office, involve accessing and maintaining an Automated Data Processing System (STAD), fraudulent extraction of data from an STAD, and fraudulent collection of personal data.
The government has made a complaint form available to victims, which can be submitted online to the address plaintiff-befti@interieur.gouv.fr.
However, it is important to note that filing a complaint in the absence of identified damages appears difficult, as a complaint undoubtedly constitutes a first step in the procedure.
