Cyberattacks on French Hospitals: An Alarming Track Record (2019-2026)

On November 15, 2019, a Friday evening at 7:45 PM, screens at the Rouen University Hospital (CHU de Rouen) displayed a message in English: "Your files have been encrypted." Within hours, the hospital's 6,000 workstations became unusable. Nursing staff pulled out paper records, handwritten prescriptions, physical order forms. The emergency department kept running, but at a fraction of its normal capacity. France had just learned that its hospitals were targets.

Since that November night, not a single semester has passed without a French hospital being paralyzed by ransomware. Dax, Villefranche-sur-Saone, Corbeil-Essonnes, Versailles, Cannes - the list is long, and it keeps growing. In 2023, CERT Sante (France's healthcare-sector CERT, under the Agence du Numerique en Sante) processed 581 incident reports from French healthcare facilities, half of which involved information system compromises.

This article traces seven years of cyberattacks against French hospitals. Each incident is documented with its causes, its timeline, and its consequences. Not for the spectacle of disaster, but because understanding the attack pattern is the prerequisite for defending against it. And that pattern almost always starts the same way: an email, a click, a stolen credential.

Why hospitals became ransomware operators' preferred targets

One persistent misconception deserves correcting: hospitals are not victims "by accident." Ransomware groups target them deliberately, for highly rational reasons.

Life-or-death pressure as leverage. A hospital cannot "shut down while the problem gets fixed." Emergencies keep arriving, ventilator patients need monitoring, chemotherapy sessions cannot be rescheduled by a week. This permanent urgency creates pressure that attackers exploit: hospitals are tempted to pay in order to restore systems as fast as possible. In practice, very few French hospitals have actually paid.

Aging IT infrastructure. APSSIS (Association Pour la Securite des Systemes d'Information de Sante - the French Association for Healthcare IT Security) estimated in 2022 that the average French hospital's IT budget represented 1.7% of its operating budget, compared to 4-9% in the banking, insurance, or industrial sectors. The result: servers running Windows Server 2008, workstations on Windows 7 in 2023, biomedical equipment with operating systems a decade old that cannot be updated without voiding the medical device certification.

The market value of health data. A complete medical record (name, date of birth, social security number, diagnoses, treatments, lab results) sells for 100 to 250 euros on dark web markets, according to Ponemon Institute estimates. That is 50 times the value of a credit card number (5 euros on average), because medical records enable long-term identity theft and insurance fraud.

Sprawling, flat networks. A hospital means thousands of workstations, hundreds of specialized applications, connected biomedical equipment, patient Wi-Fi, vendor access points. And often, everything sits on the same flat network. Once an attacker gains a foothold through phishing, they can move laterally without hitting a single barrier.

Low cybersecurity awareness among staff. Healthcare workers are trained to save lives. Cybersecurity rarely features in nursing or medical curricula. A receptionist, a medical secretary, or a resident who opens a weaponized attachment - that is the typical scenario. According to the Proofpoint State of the Phish 2025 report, one employee in three clicks a phishing link without prior training. In a hospital with 3,000 staff members, that means 1,000 potential entry points. For a detailed analysis of business phishing statistics, see our article on business phishing: 2026 statistics.

The attack timeline: seven years of hospital ransomware

Ramsay Sante - August 2019: 120 private clinics hit at once

On August 10, 2019, the Ramsay Generale de Sante group (now Ramsay Sante) suffered an attack that paralyzed the IT systems of 120 of its 126 facilities in France. The strain used was a GandCrab/REvil variant. The impact was considerable: admission management software, electronic patient records, and email systems were offline for several days.

As a publicly traded private hospital group, Ramsay's communication remained minimal. But the signal was clear: if France's largest private hospital operator could be brought down, no facility was safe. The attack hit hospitals in France, Sweden, Norway, and Italy. Full recovery took several weeks, with a wholesale switch to paper-based procedures during the crisis phase.

What stands out in hindsight is that the Ramsay attack barely registered with the public hospital sector. It would take three more months - and the Rouen University Hospital - for the threat to sink in.

Rouen University Hospital (CHU de Rouen) - November 2019: the first shock

Date: November 15, 2019, 7:45 PM.

The attack: The Clop ransomware encrypted data on 6,000 workstations and the majority of servers. The hospital switched entirely to degraded mode. Prescriptions went back to paper, lab results were delivered by hand, outpatient appointments were managed with binders.

Operational impact: The CHU did not shut down its emergency department, but scheduled activity slowed dramatically. Wait times for care lengthened. Physicians had to walk to the lab in person to collect test results. A return to functional IT took several weeks.

The cost: ANSSI (Agence nationale de la securite des systemes d'information - France's national cybersecurity agency) dispatched an incident response team on Saturday morning. The CHU estimated the total cost of the incident at over 10 million euros, including IT system reconstruction, hardware replacement, overtime, and lost revenue.

The entry vector: Post-incident analysis revealed that the attack began with a phishing email opened by a hospital employee. The Emotet malware was installed first, then served as a beachhead for the deployment of the Clop ransomware by the TA505 group.

The Rouen University Hospital became the textbook case cited in every ANSSI report on hospital threats. It also triggered the creation of the healthcare component in France's national cybersecurity strategy.

Dax Hospital - February 2021: months of rebuilding

Date: February 8, 2021.

The attack: The Dax-Cote d'Argent hospital (640 beds, 2,200 staff) was hit by ransomware overnight. The entire IT system was paralyzed: email, phone system, file servers, electronic patient records, admission management software.

Operational impact: This is arguably the attack that left the deepest mark on the public consciousness, because the disruption was total and prolonged. The emergency department stayed open, but all scheduled surgeries were postponed. Chemotherapy appointments continued in degraded mode. With the phone system down, the hospital had to communicate through social media to notify patients.

Staff described extreme working conditions: writing every prescription by hand, tracking down medical histories in paper archives, calling labs on personal cell phones to get test results. Several patient transfers to other facilities had to be organized.

Duration: The IT system was not fully restored for several months. Some line-of-business applications were not recovered for six months. That is how long it takes to rebuild an entire infrastructure from scratch when the backups themselves have been compromised.

The cost: Estimated at a minimum of 2 million euros for the technical rebuild alone, excluding lost revenue and staff overtime.

Villefranche-sur-Saone Hospital - February 2021: Ryuk enters the stage

Date: February 15, 2021, one week after Dax.

The attack: The Villefranche-sur-Saone hospital (northwest of Lyon, 2,500 staff) was hit by the Ryuk ransomware. The hospital immediately activated its "plan blanc" (France's healthcare crisis management plan) and shut down all IT systems to contain propagation.

Operational impact: All scheduled surgeries were postponed. Emergencies were redirected to hospitals in Lyon and Bourg-en-Bresse. Staff reverted to paper records. The hospital's director told the press: "We've gone back 30 years."

The vector: As is common with Ryuk, the infection chain started with an email containing a weaponized Word document (malicious macro). The TrickBot malware was deployed first, then paved the way for Ryuk.

The timing - one week after Dax - triggered a national wake-up call. On February 18, 2021, President Emmanuel Macron announced a 1 billion euro plan for cybersecurity, with a portion dedicated to the healthcare sector.

Oloron-Sainte-Marie Hospital - March 2021: the Bearn region as well

Date: March 8, 2021.

The attack: The Oloron-Sainte-Marie hospital (Pyrenees-Atlantiques, 300 beds) was in turn hit by ransomware. The IT system was encrypted, including part of the backups.

Impact: Scheduled surgeries were postponed. The hospital operated in degraded mode for several weeks. The attack came one month after Dax and Villefranche, reinforcing the impression of a coordinated campaign against French hospitals - even though later analysis showed that separate groups were simultaneously targeting easy prey.

Context: Oloron is a small community hospital with a limited IT budget. It had neither a full-time CISO, nor network segmentation, nor a formalized incident response plan. The textbook profile of an opportunistic target.

Arles Hospital - August 2021: Vice Society makes its entrance

Date: August 18, 2021.

The attack: The Joseph-Imbert hospital in Arles was struck by Vice Society, a Russian-speaking collective that specializes in targeting healthcare and education institutions. The entire IT system was compromised.

Operational impact: The hospital lost access to its electronic patient records, bed management system, email, and IP phone system. Staff fell back to paper records and whiteboards for admission management. Non-urgent specialist consultations were postponed.

Data theft: Vice Society practices double extortion: data encryption plus exfiltration before encryption. The group threatened to publish stolen data if the ransom was not paid. The Arles hospital refused to pay. Data was published on the group's site.

Rebuild duration: More than four months for a full return to normal IT operations.

What makes the Arles case notable is Vice Society's specialization in the healthcare sector. This was not opportunistic targeting: the group deliberately selected a hospital, knowing that medical data and operational pressure would maximize its chances of payment.

AP-HP - September 2021: 1.4 million patient records stolen

Date: September 2021.

The attack: AP-HP (Assistance Publique - Hopitaux de Paris), Europe's largest university hospital system, disclosed the theft of data belonging to 1.4 million patients who had taken a Covid-19 test in the Ile-de-France region in mid-2020. The data included names, dates of birth, social security numbers, and test results.

The vector: The breach exploited a vulnerability in a file-sharing tool (secure transfer system) used to transmit test results to health insurance organizations. This was not a conventional ransomware attack but a targeted data theft.

Consequences: AP-HP filed a criminal complaint and notified the CNIL (Commission nationale de l'informatique et des libertes - France's data protection authority). The leak triggered a political shockwave, as it involved Covid data - an extremely sensitive topic in 2021. Two individuals were arrested.

Scale: With 1.4 million records, this was the largest known health data breach in France at that date. It exposed the fragility of medical data transfer systems, many of which had been built hastily during the Covid crisis.

CHSF Corbeil-Essonnes - August 2022: the most widely covered attack

Date: August 21, 2022, 1:00 AM.

The attack: The Centre Hospitalier Sud Francilien (CHSF) in Corbeil-Essonnes (1,000 beds, 3,700 staff, serving 600,000 people) was hit by LockBit 3.0. The ransom demand: 10 million dollars.

Operational impact: The hospital shut down all IT systems. Emergencies were redirected to hospitals in Creteil, Paris, and Evry. Scheduled surgeries were postponed. Hospital activity dropped by roughly 20% in the weeks following the attack. The reversion to paper records profoundly disrupted the care chain.

CHSF's director, Gilles Calmes, publicly stated: "We will not pay." This is the position recommended by ANSSI and the French government, which considers ransom payments as funding organized crime and incentivizing further attacks.

Data publication: LockBit carried out its threat. In September 2022, the group published 11 gigabytes of data on its dark web site: hospitalization reports, lab analyses, medical records, social security numbers. The publication triggered a media and political shockwave.

The cost: CHSF estimated the cost of rebuilding its information system at approximately 7 million euros. This figure does not include lost revenue, patient transfers, or staff overtime.

The trial: In February 2024, a French court convicted a LockBit affiliate in connection with this case - a symbolically significant first, though it does not change the scale of the threat.

The CHSF attack was a turning point. It was the first time the French public concretely understood what a hospital cyberattack means: ambulances rerouted, surgeries canceled, intimate medical records published on the internet. Health Minister Francois Braun visited the site in person. The issue became political.

Versailles Hospital (CH Andre-Mignot) - December 2022: a bleak end to the year

Date: December 3, 2022.

The attack: The Andre-Mignot hospital in Versailles was hit by ransomware that encrypted 700 workstations and part of its servers. The hospital activated its plan blanc and switched to degraded mode.

Operational impact: Six patients from the intensive care and neonatal units were transferred to other facilities. Scheduled surgeries were postponed. The phone system went down. The director of the ARS Ile-de-France (Agence Regionale de Sante - the regional health authority) stated that the cyberattack "put the entire hospital capacity of the Yvelines department under strain."

Entry vector: The investigation revealed that the attack exploited compromised credentials, likely obtained through phishing targeting an employee with administrative privileges.

Response: ANSSI deployed a rapid response team. The Versailles hospital set up an emergency hotline for patients and families. Full reconstruction took several months.

Two major attacks in four months (Corbeil in August, Versailles in December): the end of 2022 marked the low point for hospital IT security in France.

Ajaccio Hospital - March 2023: Corsica is not spared

Date: March 2023.

The attack: The Ajaccio hospital was hit by a cyberattack that disrupted its information system. Precise technical details were not made public, but the hospital confirmed an interruption of IT systems that required switching to degraded mode.

Impact: Disrupted access to electronic patient records, paper-based appointment management, delays in treating non-urgent patients. Corsica's island geography compounded the situation: patient transfer options are geographically limited.

Context: The attack illustrates a worrying trend: mid-sized facilities outside major cities are particularly vulnerable. They have fewer IT resources, less access to cybersecurity expertise, and geographic isolation that worsens the consequences of any service outage.

Rennes University Hospital (CHU de Rennes) - June 2023: a major teaching hospital hit

Date: June 21, 2023.

The attack: The Rennes University Hospital, one of the largest hospitals in western France (10,000 staff, 1,800 beds), detected an intrusion in its information system. The hospital immediately cut internet access and isolated compromised systems, which contained the spread of the ransomware.

Operational impact: Thanks to relatively fast detection, the CHU avoided mass encryption of its data. Patient care continued, but the internet cutoff disrupted communications with external partners, vendors, and lab result transmission systems.

Data theft: Despite the rapid containment, attackers had time to exfiltrate data. The CHU confirmed the leak of administrative data and potentially patient data, without specifying the exact volume.

Response: The Rennes CHU had a CISO and a security team that responded within minutes of detection. That responsiveness is what limited the damage. ANSSI provided support.

The Rennes case demonstrates that adequate preparation can make the difference between a disruption lasting a few days and a paralysis lasting several months. Rapid detection and the ability to isolate systems are the two factors that separate a serious incident from a catastrophe.

Cannes Simone Veil Hospital - April 2024: LockBit strikes again

Date: April 16, 2024.

The attack: The Simone Veil Hospital in Cannes (800 beds, 2,200 staff) was hit by LockBit. The attack came less than two months after the (partial) takedown of LockBit's infrastructure by an international law enforcement operation (Operation Cronos, February 2024). Proof that the group reconstituted its capabilities very quickly.

Operational impact: The hospital shut down its systems and switched to degraded mode. Non-urgent surgeries were postponed. Outpatient activity was reduced. Nursing staff returned, once again, to handwritten prescriptions and paper records.

Data publication: LockBit claimed responsibility and published 61 gigabytes of data stolen from the hospital in May 2024: administrative records, HR files, patient data. This was the largest volume of hospital data published at that date.

Context: The Cannes attack demonstrates that law enforcement operations, however dramatic, are not enough to eradicate the threat. LockBit was disrupted but not destroyed. Its affiliates scattered to other ransomware-as-a-service platforms. The criminal business model remains intact.

The mechanics of a hospital attack: a typical anatomy

Having documented each incident individually, it is worth identifying the common pattern. The reality is that these attacks look strikingly similar.

Phase 1: initial access (D-30 to D-7). In the majority of documented cases, the attacker gains initial access through a phishing email. A hospital employee receives an email impersonating a vendor, an official agency, or a colleague. They click a link or open an attachment. Malware (Emotet, TrickBot, or BazarLoader, depending on the case) is silently installed on the workstation. In some cases, the entry vector is an RDP (Remote Desktop Protocol) port exposed to the internet with a weak password, or an unpatched VPN.

Phase 2: reconnaissance (D-7 to D-1). The attacker maps the hospital network. They identify Active Directory servers, file shares, and backup systems. They escalate privileges by exploiting unpatched vulnerabilities or by harvesting administrator credentials stored in plain text. The lack of network segmentation lets them move freely.

Phase 3: exfiltration (D-3 to D-1). Before encrypting anything, the attacker copies the most sensitive data to external servers. Patient records, HR files, financial documents. This data will serve as additional leverage (double extortion).

Phase 4: encryption (D-Day). The attacker deploys ransomware across all reachable systems, often on a Friday evening or over the weekend to maximize propagation time before detection. Files are encrypted, and local backups are destroyed if they are accessible from the network.

Phase 5: extortion (D+1 to D+30). A ransom note appears. The group publishes a countdown on its leak site. If the hospital refuses to pay (which is systematically the case in France), the data is published.

This pattern recurs in virtually every incident described in this article. And in almost every case, the front door was an email.

Phishing: the entry point in 60% of hospital attacks

ANSSI's figures leave no room for ambiguity: phishing and spear phishing are the leading initial access vector in cyberattacks against healthcare facilities. CERT Sante confirms this proportion in its annual report.

Why does phishing work so well in a hospital setting?

Staff fatigue. A nurse pulling back-to-back 12-hour shifts, a physician seeing 40 patients a day, a medical secretary handling 200 emails daily - digital vigilance is not their priority. And they should not be blamed for it. It falls to the organization to implement the right technical protections and targeted awareness training.

The volume of legitimate emails with attachments. In a hospital, it is normal to receive medical reports, lab results, purchase orders, and invoices. A phishing email mimicking a lab result or a supply order blends seamlessly into the daily flow.

The absence of multi-factor authentication (MFA). In 2022, the majority of French hospitals had not deployed MFA on their email systems or VPN access. A username and password were enough. When phishing captures those credentials, the attacker walks in through the front door.

Unprotected email domains. Many hospitals have not properly configured their SPF, DKIM, and DMARC records, making it easy to spoof their email identity. An attacker can send an email that appears to come from "dr.martin@chu-example.fr" without the recipient's email system blocking it. Testing your organization's email configuration takes a few seconds and can reveal gaping holes. For more on the importance of these protocols, see our article on SMB email security: testing SPF, DKIM, and DMARC.

Compromised legitimate accounts. Some attacks, like the Viamedis breach (which indirectly exposed millions of health records), used healthcare professional accounts compromised via phishing to access systems. The fraudulent email did not come from a stranger - it came from a physician whose account had been taken over.

The financial cost: millions of euros per incident

Quantifying the cost of a hospital cyberattack is a difficult exercise, because many cost items are indirect or delayed. But the available figures provide an order of magnitude.

Facility	Estimated cost	Detail
Rouen University Hospital (2019)	10M+ euros	IT rebuild, hardware, overtime, lost revenue
Dax Hospital (2021)	2M+ euros	Technical rebuild only
CHSF Corbeil-Essonnes (2022)	7M euros	IT rebuild (excluding lost revenue)
Versailles Hospital (2022)	Not disclosed	Patient transfers, reconstruction, prolonged degraded mode

These direct costs tell only part of the story. Add to them:

Lost revenue. A hospital operating in degraded mode loses 15 to 30% of its activity during the crisis. For a facility generating 200 million euros in annual revenue, two months of operating at 80% capacity translates to a loss of 6 to 10 million euros.

Staff overtime costs. Every procedure that used to take a single click now takes 10 minutes in its paper version. Healthcare workers accumulate massive overtime. Administrative staff are reassigned to manual tasks.

Patient transfer costs. When emergencies are redirected to other hospitals, those facilities absorb the added cost. Ambulances travel longer distances. Wait times lengthen, with potential consequences for patient health.

Remediation costs. After the incident, the hospital invests heavily in security: new firewall, network segmentation, EDR (Endpoint Detection and Response), MFA, CISO recruitment. These investments would have cost a fraction of the attack's price tag had they been made beforehand.

Potential fines. The CNIL (France's data protection authority) can sanction failures to protect personal data. In the event of a health data breach (a special category under the GDPR), penalties can be severe. No hospital has yet been heavily sanctioned, but the CNIL has publicly stated its expectations.

For a detailed breakdown of cyberattack costs for a smaller organization, see our article: How much does a cyberattack cost an SMB with 50 employees.

The human cost: patients put at risk

Millions of euros get a lot of airtime. Patients get far less. Yet that is where the gravity of hospital cyberattacks is most tangible.

Postponed surgeries. In Villefranche, Corbeil, Versailles, and Cannes: in each case, dozens - sometimes hundreds - of scheduled surgeries were postponed. A surgical postponement is not a simple scheduling inconvenience. For a cancer patient awaiting tumor removal, every week of delay can change the prognosis.

High-risk patient transfers. At the Versailles hospital, six intensive care and neonatal patients were transferred on an emergency basis. Transferring a newborn in intensive care is inherently risky. The transfer happens only because the alternative - staying in a hospital without a functioning IT system - is worse.

Unavailable test results. When the IT system is down, lab results are no longer transmitted automatically. A physician awaiting a potassium level to adjust a cardiac treatment must call the lab, wait for a technician to locate the result on a backup system, and write it down by hand. The delay goes from 30 seconds to 30 minutes. And in some cases, that delay matters.

Prescription errors. Handwritten prescriptions carry risks: illegible handwriting, dosage errors, no automated drug-interaction checks. Computerized prescription systems exist precisely to prevent these errors. When they go down, the risk of medication error rises mechanically.

Patients stripped of medical confidentiality. When LockBit publishes 11 GB of CHSF data or 61 GB of Cannes data, thousands of patients have their medical records - diagnoses, treatments, lab results - accessible to anyone. The privacy violation is irreversible. A published medical record cannot be "unpublished."

In Germany, a case set legal precedent: in September 2020, a patient died at Dusseldorf University Hospital after being redirected to another facility because of a cyberattack. Investigators ultimately could not establish a direct causal link between the death and the attack. But the risk is real, documented, and taken seriously by health authorities.

In France, no death has been officially attributed to a hospital cyberattack. But testimonies from healthcare workers in the weeks following the Dax, Corbeil, and Versailles attacks describe working conditions that objectively increase patient risk.

Summary table of major attacks (2019-2024)

Date	Facility	Ransomware / Group	Primary impact	Ransom demanded
Aug. 2019	Ramsay Sante (120 clinics)	GandCrab/REvil	IT paralyzed, paper fallback	Not disclosed
Nov. 2019	Rouen University Hospital	Clop (TA505)	6,000 workstations encrypted	Not disclosed
Feb. 2021	Dax Hospital	Not publicly identified	IT paralyzed for months	Not disclosed
Feb. 2021	Villefranche-sur-Saone	Ryuk	Crisis plan activated, emergencies redirected	Not disclosed
Mar. 2021	Oloron-Sainte-Marie	Not publicly identified	Surgeries postponed	Not disclosed
Aug. 2021	Arles Hospital	Vice Society	Double extortion, data published	Not disclosed
Sep. 2021	AP-HP	Targeted data theft	1.4M patient records stolen	N/A
Aug. 2022	CHSF Corbeil-Essonnes	LockBit 3.0	11 GB of data published	$10M
Dec. 2022	Versailles Hospital	Not publicly identified	700 workstations encrypted, 6 patients transferred	Not disclosed
Mar. 2023	Ajaccio Hospital	Not publicly identified	Prolonged degraded mode	Not disclosed
Jun. 2023	Rennes University Hospital	Not publicly identified	Internet cut, data leak	Not disclosed
Apr. 2024	Cannes Simone Veil	LockBit	61 GB of data published	Not disclosed

This table reveals a stark reality: between 2019 and 2024, at least one major attack every semester. And these are only the incidents that were publicly disclosed. CERT Sante handles dozens of additional incidents each year that never reach the media.

The criminal groups targeting French healthcare

Several ransomware groups are responsible for the attacks documented above. Identifying them helps explain the business model and the methods.

LockBit is the most active group against France's healthcare sector. Responsible for the attacks on CHSF Corbeil-Essonnes and the Cannes hospital, LockBit operates a ransomware-as-a-service (RaaS) model: the group develops and maintains the software, then independent "affiliates" carry out attacks in exchange for a commission (typically 20-30% of the ransom). This decentralized model explains why Operation Cronos in February 2024, which dismantled part of LockBit's infrastructure, did not end the attacks.

Vice Society carved out a specialization in targeting the healthcare and education sectors, both in France and in English-speaking countries. The group is responsible for the Arles hospital attack. Vice Society favors targets that combine sensitive data with low cybersecurity maturity.

Clop (TA505) struck the Rouen University Hospital in 2019. The group has been active since 2016 and tends toward large organizations. Its modus operandi includes deploying Emotet as the initial-stage malware.

Ryuk (associated with the Wizard Spider group) was responsible for the Villefranche-sur-Saone attack. Ryuk used TrickBot as an initial access vector and specifically targeted organizations capable of paying high ransoms. The group ceased operations under the Ryuk name in 2021, but its members likely migrated to other groups, including Conti.

The common thread across all these groups: they operate from Russia or CIS countries (Commonwealth of Independent States) and benefit from de facto tolerance by local authorities, as long as they do not target Russian organizations.

The government's response: from diagnosis to action

Faced with the acceleration of attacks, French authorities have progressively strengthened their response. Here is a summary of the major measures.

2021: the cyber plan after Dax and Villefranche

On February 18, 2021, following the Dax and Villefranche attacks, Emmanuel Macron announced a national cybersecurity plan funded at 1 billion euros, including 720 million in public funding. The plan included a specific healthcare component:

• Strengthening ANSSI with dedicated positions for healthcare sector oversight.
• Mandating security audits across healthcare facilities.
• Integrating cybersecurity into hospital certification criteria by the HAS (Haute Autorite de Sante - France's national authority for health).
• Requiring healthcare facilities to allocate a minimum share of their IT budget to security.

2022: hospitals become essential service operators

At the end of 2022, the Ministry of Health designated 135 hospitals as Essential Service Operators (OSE - Operateurs de Services Essentiels) under the European NIS Directive. This designation imposes specific cybersecurity obligations: mandatory incident reporting, regular audits, and technical compliance requirements. ANSSI becomes the supervisory authority for these facilities.

2023: the CaRE program

In December 2023, the government launched the CaRE program (Cybersecurite acceleration et Resilience des Etablissements - Cybersecurity Acceleration and Resilience for Healthcare Facilities), funded at 750 million euros over 5 years (2023-2028). It is the most ambitious program ever dedicated to hospital cybersecurity in France.

The CaRE program is structured around four pillars:

1. Governance and resilience. Every facility must appoint a cybersecurity lead and formalize a business continuity plan that incorporates cyber risk. The ARS (Agences Regionales de Sante - France's regional health agencies) are responsible for coordinating audits.

2. Resources and pooling. Funding for shared CISOs serving small facilities that cannot recruit individually. Creation of regional resource centers.

3. Awareness and training. Mandatory training programs for all hospital staff (not just IT teams). Annual cyber crisis exercises.

4. Operational security. Funding for technical upgrades: network segmentation, MFA, EDR, offline backups, 24/7 monitoring.

The stated objective: 100% of healthcare facilities reaching a minimum security level by 2028. An ambitious goal, given the accumulated backlog.

2024-2026: NIS2 and the ramp-up

The transposition of the European NIS2 directive into French law (effective since October 2024, with a compliance transition period) considerably widens the scope of regulated entities in the healthcare sector. Labs, medical device manufacturers, and healthcare software vendors are now covered.

The first CaRE program evaluations, published in early 2026, show uneven progress: major university hospitals have significantly strengthened their security posture, but small community hospitals remain behind, for lack of qualified staff.

Hospital IT budgets: the root of the problem

All government plans, however generously funded, run into the same reality: hospital IT has been underfunded for decades.

1.7% of operating budget: that is APSSIS's estimate for the IT budget share in an average French hospital in 2022. For comparison, the banking sector allocates between 7 and 9% of operating expenses to IT, and ANSSI's recommendation for organizations handling sensitive data is 5 to 10%.

In concrete terms, a 500-bed hospital with a 200 million euro operating budget devotes approximately 3.4 million euros to IT. Of that 3.4 million, routine maintenance (licenses, support, hardware) absorbs 80%. That leaves 680,000 euros for projects, security, and modernization. For a facility managing 3,000 workstations, 500 servers, and 1,500 connected biomedical devices, the number is inadequate.

The CaRE program provides additional funding, but with a constraint: the funds are earmarked for security and cannot be used to address the overall IT backlog. Yet security cannot be treated in isolation: deploying a state-of-the-art firewall in front of a flat network with Windows 2008 servers is putting a deadbolt on an open door.

Real change will come when hospital IT budgets move from 1.7% to at least 3-4% of operating budget, with a third ring-fenced for security. That is the implicit objective of the CaRE program, but the trajectory will be long.

Hospital technical debt: a heavy legacy

Chronic underinvestment has created a substantial technical debt that attackers exploit methodically.

Obsolete operating systems. In 2023, CERT Sante found that many hospital workstations were still running Windows 7 (end of support: January 2020) or Windows 8.1 (end of support: January 2023). Some biomedical equipment (CT scanners, MRI machines, patient monitors) runs on even older systems (Windows XP, Windows Embedded) that receive no security patches whatsoever.

Unmaintained line-of-business applications. Electronic patient records (DPI - Dossier Patient Informatise), patient administration systems (GAP - Gestion Administrative des Patients), computerized prescription systems - these mission-critical applications are often developed by small vendors with slow update cycles and an attack surface that is rarely audited.

No network segmentation. In many hospitals, the network is flat: a single VLAN for administration, care, biomedical equipment, and guest Wi-Fi. When an attacker compromises a reception desk workstation, they potentially gain access to the MRI scanner and the Active Directory server.

Network-connected backups. The most costly mistake: backups stored on servers reachable from the main network. When ransomware strikes, it encrypts the backups too. The Dax hospital learned this the hardest way possible: rebuilding took months precisely because backups had been compromised.

Unsecured remote access. Many hospitals expose RDP (Remote Desktop Protocol) services to the internet to allow maintenance vendors to access systems. Without MFA, without a properly configured VPN, these access points are open doors for attackers who systematically scan the internet for reachable RDP services.

What hospitals can do now: priority measures

ANSSI's list of recommendations for healthcare facilities is extensive. But certain measures deliver disproportionate impact relative to their cost.

1. Deploy multi-factor authentication (MFA) on all access points. This is the number one measure. If France Travail (France's public employment agency) had deployed MFA, the 43 million records would not be in the wild. If hospitals systematically deployed MFA on their email systems and VPN access, the majority of phishing attacks would stop at the door. MFA is not foolproof, but it blocks over 99% of credential-theft attacks, according to Microsoft data.

2. Segment the network. Physically or logically separate the administrative network, the care network, biomedical equipment, and the guest network. When a workstation is compromised, propagation stops at the segment boundary.

3. Disconnect backups from the network. Adopt the 3-2-1 rule: three copies of data, on two different media, with one kept offline (air-gapped). This is what separates a rebuild of a few days from a rebuild of several months.

4. Train staff to recognize phishing. Not a 30-minute annual PowerPoint. Regular phishing simulations, monthly, tailored to the hospital context (emails mimicking medical supply vendors, lab results, HR notices). Phishing simulation click rates drop from 33% to under 5% after six months of a structured program (Proofpoint State of the Phish 2025).

5. Protect email domains. Configure SPF, DKIM, and DMARC to prevent attackers from spoofing the hospital's email identity. An attacker who cannot send an email as "reception@hospital-example.fr" loses a major attack vector.

6. Deploy EDR (Endpoint Detection and Response) on all workstations. Traditional antivirus is no longer sufficient. EDR detects suspicious behavior (lateral movement, privilege escalation, mass file encryption) and can block ransomware within seconds of activation.

7. Test the business continuity plan. Having a plan serves no purpose if it is never tested. Every year, the hospital should simulate a complete IT shutdown for 4 hours and verify that degraded procedures actually work.

Hospital staff awareness: an underestimated challenge

Awareness training is often the neglected component of hospital cybersecurity. Organizations invest in firewalls, EDR, and network segmentation, but leave the human link untrained.

The numbers speak for themselves. The KnowBe4 Phishing by Industry 2024 report ranks the healthcare sector among the most vulnerable to phishing, with an initial click rate of 34.2% for organizations with over 1,000 employees. After 12 months of simulation training, that rate drops to 4.6%.

The hospital-specific challenge: turnover and staff diversity. A 10,000-person university hospital employs physicians, nurses, nursing assistants, medical secretaries, lab technicians, support staff, and administrative managers. Each has a different level of IT familiarity. And the rotation of temporary staff, agency workers, and residents who change departments every six months complicates training coverage.

An effective hospital awareness program must:

• Be continuous, not one-off. Monthly phishing simulations, not an annual training session.
• Be contextual. Simulation emails must resemble what staff actually receive: lab results, purchase orders, occupational health appointment notices.
• Not be punitive. The goal is learning, not discipline. An employee who clicks receives an immediate explanation, not a reprimand.
• Cover all departments, including those that consider themselves "not concerned" (logistics, kitchen, laundry) - departments that still have network access.

Health data: reinforced protection under the GDPR

Health data benefits from reinforced protection under European law. Article 9 of the GDPR classifies it as a "special category of personal data," the processing of which is in principle prohibited except in exhaustively listed cases (healthcare, public interest, etc.).

This classification has practical consequences in the event of a cyberattack:

72-hour notification obligation to the CNIL. As soon as a hospital identifies a personal data breach (including encryption, which renders data unavailable), it must notify the CNIL. If the breach presents a high risk to the individuals concerned (which is systematically the case with medical data), the hospital must also individually notify affected patients.

Potentially aggravated sanctions. Processing health data without adequate security measures can be sanctioned by the CNIL under Article 32 of the GDPR (security obligation) and Article 9 (protection of special categories). Fines can reach 20 million euros or 4% of turnover.

DPO accountability. The hospital's Data Protection Officer (DPO - Delegue a la Protection des Donnees) has a duty to alert management about risks to personal data. In practice, many hospital DPOs are legal professionals without technical cybersecurity expertise, which limits their ability to identify and prioritize risks.

The role of certified health data hosting. Health data stored by an external provider must be hosted by an HDS-certified provider (Hebergeur de Donnees de Sante - Health Data Host). This certification, issued by bodies accredited by COFRAC (France's national accreditation body), imposes physical and logical security requirements. But when data resides in the hospital's internal IT system, HDS certification does not apply - and security rests entirely on the hospital.

International comparison: does France fare worse?

French hospitals are not the only ones affected. The phenomenon is global, and comparison provides perspective - or not - on the French situation.

Germany. Dusseldorf University Hospital suffered an attack in September 2020 that led to the death of a patient redirected to another facility. The federal government strengthened hospital cybersecurity obligations through the IT-Sicherheitsgesetz 2.0 law.

United Kingdom. The May 2017 WannaCry attack paralyzed the National Health Service (NHS), affecting 80 of 236 hospital trusts and leading to the cancellation of 19,000 appointments. The attack cost the NHS approximately 92 million pounds sterling. Since then, the UK has invested heavily in hospital cybersecurity through a dedicated NHSX program.

United States. The Department of Health and Human Services (HHS) recorded 725 health data breaches affecting more than 500 individuals in 2023. The Change Healthcare group was attacked in February 2024, disrupting prescription processing for millions of Americans. The ransom paid reportedly reached 22 million dollars.

Ireland. The Irish Health Service Executive (HSE) suffered a Conti attack in May 2021 that paralyzed the national health system for weeks. The cost was estimated at 80 million euros.

France ranks around the European average in terms of attack volume, but lags behind the UK (post-WannaCry) and Germany in hospital IT spending.

Lessons learned - and lessons still to learn

Seven years after the Rouen University Hospital, what have we learned?

What has improved:

• Political awareness is genuine. The CaRE program, funded at 750 million euros, signals that the government treats hospital cybersecurity as a public health priority.
• ANSSI has developed healthcare-specific expertise and can deploy rapid response teams.
• Major university hospitals have strengthened their security teams. The Rennes CHU showed in 2023 that fast detection can significantly limit damage.
• The designation of 135 hospitals as OSE imposes a binding regulatory framework with regular audits.
• NIS2 extends the scope of protection to the entire healthcare value chain.

What remains insufficient:

• Small community hospitals still lack the human and financial resources to implement the recommendations. A CISO shared across five hospitals is better than nothing, but it falls short against professional attackers.
• The average IT budget remains too low. At 1.7% of operating budget, even with CaRE subsidies, 20 years of underinvestment cannot be recovered in five.
• Staff awareness training remains patchy in many facilities. The CaRE program mandates training, but actual deployment to 100% of staff will take years.
• Technical debt (Windows 7, unmaintained applications, flat networks) does not disappear by installing an EDR. It requires replacing thousands of workstations, migrating dozens of line-of-business applications, and rewiring entire networks.
• The ransomware business model has not been broken. As long as organizations worldwide keep paying ransoms, criminal groups will continue investing in new tools and targeting new victims.

The outlook: emerging threats through 2027-2028

Ransomware will remain the dominant threat to French hospitals in the coming years. But other risks are emerging.

AI-powered attackers. AI-generated phishing emails are already more convincing than those written by non-native human operators. In a hospital, an AI-crafted phishing email that flawlessly mimics the tone of an internal colleague or a regular vendor will be virtually undetectable by human judgment alone. The combination of technical detection and awareness training becomes non-negotiable.

Attacks on connected biomedical devices. The Internet of Medical Things (IoMT) is expanding: connected infusion pumps, networked patient monitors, remotely operated imaging devices. Each connected device is a potential entry point, and most do not receive regular security updates.

Supply chain attacks. The Viamedis-Almerys breach showed that healthcare service providers are prime targets for indirectly reaching millions of patients. Hospital software vendors, maintenance providers, third-party payment operators - the entire chain is exposed.

State-sponsored espionage. Health data covering entire populations also interests foreign intelligence services. Exploiting medical records for blackmail, profiling, or pharmaceutical research is a real risk, even if it receives less media coverage than ransomware.

What healthcare-adjacent SMBs should take away

If you are an SMB that works with the healthcare sector - software vendor, integrator, medical equipment supplier, maintenance provider - this article concerns you directly.

The NIS2 directive extends cybersecurity obligations to suppliers of regulated entities. If your hospital client is classified as an OSE, they will ask you for evidence of your own cybersecurity maturity: a formalized security policy, deployed MFA, trained staff, completed penetration tests, cyber insurance coverage.

Three concrete actions:

1. Test your email domain's security. If an attacker can send emails posing as your company, they can target your hospital clients from "your" address. Check your SPF, DKIM, and DMARC configuration in a few seconds.

2. Train your team on phishing. Your technical support team with VPN access to the hospital's network is an attack vector. A compromised account at your company is an open door at your client's. Phishing simulations reduce click rates from 33% to under 5%.

3. Document your security measures. Hospitals will increasingly require responses to security questionnaires. Having an auditable awareness program, training logs, and simulation results - that is what separates a retained vendor from a rejected one.

FAQ: Cyberattacks on French hospitals

Why are French hospitals targeted so heavily by cyberattacks?

Hospitals combine four characteristics that make them prime targets: a 24/7 operational mandate that increases pressure to restore systems quickly, IT systems that are often outdated (IT budget at 1.7% of operating budget versus 4-9% in banking, according to APSSIS), health data that sells for up to 250 euros per record on the dark web (Ponemon Institute), and poorly segmented networks that allow rapid ransomware propagation once the first workstation is compromised.

How many cyberattacks have hit French hospitals since 2019?

CERT Sante handled 581 incident reports from healthcare facilities in 2023. ANSSI recorded at least 40 security incidents targeting healthcare facilities in 2022. Between 2019 and 2026, over thirty major attacks have been publicly documented, at a pace of at least one widely covered attack per semester. The actual number is likely higher, as many incidents are never publicly disclosed.

Is phishing really the main attack vector against hospitals?

Yes, in roughly 60% of cases documented by ANSSI and CERT Sante. The pattern is consistent: a hospital employee clicks a link in a fraudulent email, malware (Emotet, TrickBot) is installed, the attacker moves through the network, then deploys ransomware. The absence of multi-factor authentication and network segmentation facilitates propagation. Other entry vectors include exposed RDP access and unpatched VPN vulnerabilities.

How much does a cyberattack cost a French hospital?

Estimates range from 2 to 20 million euros depending on the facility's size. The Rouen University Hospital put the impact at over 10 million euros. CHSF Corbeil-Essonnes estimated its IT rebuild at 7 million euros. These figures exclude indirect costs: lost revenue (15-30% during the crisis), staff overtime, patient transfers, and the breach of medical confidentiality for published data.

What is the French government doing to protect hospitals?

The CaRE program, launched in December 2023, is funded at 750 million euros over 5 years. It mandates security audits, finances technical upgrades, and conditions part of hospital funding on measurable cybersecurity objectives. In addition, 135 hospitals have been designated as Essential Service Operators (OSE) with reinforced obligations. The NIS2 directive, transposed in 2024, extends these obligations across the entire healthcare value chain.

Are stolen health records published online?

Yes, in several cases. LockBit published 11 GB of data from CHSF Corbeil-Essonnes in September 2022 and 61 GB from the Cannes hospital in May 2024. Vice Society published data from the Arles hospital. These publications include medical reports, lab analyses, and social security numbers. They result from the hospital's refusal to pay the ransom - a refusal recommended by ANSSI and Cybermalveillance.gouv.fr, since payment does not guarantee data deletion and funds organized crime.

---

Thomas Ferreira is a CISSP-certified cybersecurity consultant. He helps French businesses defend against social engineering threats. The data in this article is sourced from ANSSI, CERT Sante, CNIL, Proofpoint State of the Phish 2025, IBM Cost of a Data Breach 2025 reports, and official communications from the affected facilities.