Skip to content
Back to blog
health-datacybersecurityhealthcareCNILHDS

Health Data: Why It Is the Number One Hacker Target in France

A medical record sells for up to $1,000 on the dark web, versus $5 for a credit card. Full analysis of cyberattacks against the French healthcare sector: Viamedis, AP-HP, CHSF Corbeil-Essonnes, HDS certification, the CaRE program, and concrete protection measures.

Thomas Ferreira43 min read

On February 1, 2024, a third-party payment operator that most French citizens had never heard of - Viamedis - suffers an intrusion. Five days later, its direct competitor, Almerys, is hit as well. The result: the health data of 33 million policyholders is compromised. Social security numbers, names, dates of birth, insurer identifiers, supplementary health coverage details. Everything is exposed.

This incident is not an isolated case. It is the norm.

In 2023, ANSSI handled 10% more cyber incidents in the healthcare sector than in 2022. The ANSSI 2023 Cyber Threat Overview ranks healthcare among the most targeted sectors on French soil. The year 2024 confirmed this trend, with the double Viamedis-Almerys breach and a series of attacks on hospitals across the country.

But why? Why does a medical record attract cybercriminals more than a Visa card number? Why are French hospitals falling one after another? And how did we get here in a country that has one of the strictest regulatory frameworks in the world for health data?

This article confronts the question head-on. We will discuss the market value of your medical data, the structural weaknesses of the French healthcare system, the most significant attacks of the past five years, the legal framework, the government's response, and what healthcare organizations (and their subcontractors) must do concretely to reduce risk.

A Medical Record Is Worth 20 to 200 Times More Than a Credit Card

Let us start with what motivates attackers: money.

According to analyses by Trustwave SpiderLabs and the Ponemon Institute, a complete medical record sells for between 250 and 1,000 dollars on dark web marketplaces. For comparison, an American credit card number with CVV sells for between 5 and 10 dollars. An online banking account credential: between 50 and 200 dollars. A complete medical record - with consultation history, current treatments, lab results, social security number, and identifying information - is the jackpot.

The IBM Cost of a Data Breach 2025 report confirms this hierarchy: the healthcare sector retains the highest average cost per breach across all sectors, at $10.93 million - and has done so for 13 consecutive years. That is more than double the cross-sector average ($4.44M).

Why this price difference?

Three structural factors explain the gap.

Data permanence. A compromised credit card gets blocked within 48 hours. The bank issues a new one; the old one becomes useless. But your blood type, medical history, diagnoses, and prescriptions do not change. They follow you for life. An attacker who obtains a complete medical record holds a mine of information exploitable for years, even decades.

Multiple fraud possibilities. A stolen credit card serves only one purpose: fraudulent purchases. A medical record opens the door to a dozen different types of fraud (we return to these in detail below). It is this versatility that drives up prices.

Low detection rate. French banks have real-time fraud detection systems. A suspicious transaction is blocked within seconds. Health insurance fraud, medical identity theft, or blackmail based on a diagnosis - these fraudulent uses of health data can go undetected for months, sometimes years. When the victim discovers the problem, the damage has long since been done.

The 8 Criminal Uses of Stolen Health Data

The value of a medical record on the black market is explained by the diversity of what an attacker can do with it. Here are the eight main uses documented by cybersecurity researchers and law enforcement.

1. Medical identity theft

The attacker uses your information (name, date of birth, social security number) to receive medical care under your name. Consultations, hospitalizations, drug prescriptions: everything is billed to your national health account. According to Experian, this form of fraud affects approximately 2.3 million Americans per year - the phenomenon is less documented in France, but the mechanics are identical.

The consequence for the victim goes beyond financial: incorrect medical information (blood type, allergies, treatments) is added to their record. During a medical emergency, this false data can have life-threatening consequences.

2. Insurance fraud

With the details of your supplementary health coverage (exactly the data stolen in the Viamedis-Almerys case), an attacker can fabricate reimbursement claims. Fake consultations, fake medical devices, fake prescriptions. France's national health insurance valued detected fraud at 316 million euros in 2022. The real amount is likely much higher.

3. Blackmail and extortion

This is the most directly violent use. An attacker who holds someone's HIV diagnosis, cancer diagnosis, psychiatric disorder, or substance abuse record can blackmail them. The LockBit 3.0 group, which published patient data from the CHSF hospital in Corbeil-Essonnes in September 2022, was banking precisely on this pressure to force the hospital to pay the 10-million-dollar ransom.

In Finland, the Vastaamo case (2020) remains the textbook example: an attacker directly contacted patients at a psychotherapy center to individually extort money from them, threatening to publish their session notes. Tens of thousands of people were targeted.

4. Social benefits fraud

With a social security number and complete personal details, an attacker can open entitlements to benefits (sick leave, disability allowances, universal health coverage) in the victim's name. This type of fraud is slow to detect because social agencies operate in silos: the health insurance, family benefits, and pension systems do not systematically cross-reference their data in real time.

5. Pharmaceutical targeting

Aggregated medical data (conditions, prescriptions) has commercial value for unscrupulous pharmaceutical players. Knowing that someone suffers from a specific chronic condition enables targeted commercial solicitation. The CNIL has sanctioned companies on multiple occasions for illegally using health data for marketing purposes.

6. Precision spear phishing

This is the use most directly relevant to our work at nophi.sh. Stolen health data enables the construction of devastatingly realistic phishing emails. "Hello Mr. Dupont, following your March 15 consultation with Dr. Martin, please find your lab results attached." When the email contains details that only your doctor should know, the suspicion reflex collapses. We return to this in the section on secondary exploitation of stolen health data.

7. Bulk resale to other criminal groups

An attacker who exfiltrates a health database does not always exploit it themselves. They put it up for sale, wholesale or in lots, on specialized forums. The database is then purchased by specialists in each type of fraud: one group for identity theft, another for targeted phishing, a third for blackmail. A single data set can be resold five or six times to different buyers.

8. Building complete profiles for advanced social engineering

By cross-referencing health data with other compromised databases (France Travail, Free, Fnac-Darty), an attacker builds a complete target profile: personal details, address, phone, email, employer, family situation, and now medical history. This profile enables social engineering attacks of very high sophistication, including against the companies where these individuals work. To understand the psychological levers of these attacks: phishing psychology and cognitive biases.

France: A Land of Health Data Breaches

The healthcare sector in France has accumulated incidents since 2019. Here are the most significant attacks, in reverse chronological order.

Viamedis and Almerys: 33 million policyholders (February 2024)

This is the largest health data breach in French history, and the second-largest data breach of any kind behind France Travail (43 million). Two third-party payment operators - Viamedis (a subsidiary of the Malakoff Humanis group) and Almerys - were breached five days apart, between February 1 and 5, 2024.

Compromised data: personal details (surname, first name, date of birth), social security number, insurer identifier, contract number, supplementary health coverage guarantee details.

Attack vector: healthcare professional credentials, likely obtained through phishing, were used to access third-party payment management portals. A single username/password pair was sufficient. No multi-factor authentication.

Consequences: the CNIL opened an investigation and ordered Viamedis and Almerys to individually notify the 33 million affected people. Supplementary health insurers using these providers (virtually the entire French market) had to inform their members. The leak fueled waves of targeted phishing in the following weeks and months. For a detailed analysis of this incident: the 50 largest data breaches in France.

This case perfectly illustrates the risk of chain subcontracting. The policyholders had never heard of Viamedis or Almerys. These are subcontractors of subcontractors, invisible to the end user. Yet they held the health data of half the French population.

AP-HP: 1.4 million COVID test subjects (September 2021)

In September 2021, the Assistance Publique -- Hopitaux de Paris (AP-HP) revealed the theft of data from 1.4 million people who had taken a COVID test in the Paris region in mid-2020. Surnames, first names, dates of birth, sex, social security numbers, contact details, test results.

Attack vector: the intrusion exploited a vulnerability in a secure file-sharing service used to transmit test results between AP-HP and the national health insurance. The vulnerability was in the transfer tool, not the hospital systems themselves.

The Paris prosecutor's office opened an investigation. The CNIL investigated the case. The incident highlighted the fragility of inter-agency data exchanges in the context of the health crisis, where speed had taken precedence over security.

Dedalus Biologie: 500,000 medical records online (February 2021)

In February 2021, a file containing the medical data of nearly 500,000 French patients was published in open access on the internet. Not on the dark web - on a site accessible to everyone. Surnames, first names, social security numbers, addresses, phone numbers, and most critically: detailed medical comments (blood test results, HIV-positive diagnoses, cancers, pregnancies, drug treatments).

Origin: the data came from medical laboratories using the Dedalus Biologie management software (formerly Medasys). The leak was caused by a chain of failures: data extraction from the software, unsecured storage at a provider, and accidental or malicious publication.

Sanctions: the CNIL fined Dedalus 1.5 million euros in April 2022, for multiple GDPR violations: security failures, excessive data retention, and lack of a contract governing subcontractors.

This is arguably the most serious incident in terms of the sensitivity of exposed data. HIV diagnoses, psychiatric treatments, pregnancies - published in plain text, accessible via a search engine. For the 500,000 affected patients, the harm is irreparable.

CHSF Corbeil-Essonnes: Patient data on the dark web (August 2022)

On August 20, 2022, the Centre Hospitalier Sud Francilien (CHSF) in Corbeil-Essonnes was hit by the LockBit 3.0 ransomware. The hospital was paralyzed: IT systems encrypted, emergency department redirecting patients to other facilities, staff reverting to pen and paper.

Ransom demanded: 10 million dollars, later reduced to 1 million.

Refusal to pay: the hospital, in line with the ANSSI and government position, refused to pay. In retaliation, the LockBit group published 11 GB of data on its leak site: patient records, discharge summaries, lab results. The human impact is direct and lasting.

The attack forced CHSF to operate in degraded mode for several months. The then Health Minister, Francois Braun, visited the site and announced an emergency plan for hospital cybersecurity.

Rennes University Hospital: Data exfiltration (June 2023)

On June 21, 2023, the Rennes University Hospital detected a cyberattack. The intrusion was contained quickly by disconnecting systems from the internet, but some data had already been exfiltrated. The hospital communicated transparently about the incident, confirming that patient data was affected without specifying the exact volume.

Notable point: Rennes University Hospital had already begun a cybersecurity strengthening program before the attack. The rapid detection and effective response show that cybersecurity investments, even if they do not prevent every intrusion, considerably reduce the scale of damage.

Dax Hospital: Three weeks of paralysis (February 2021)

On February 8, 2021, the Dax hospital was hit by ransomware. Systems were encrypted. The hospital operated without IT for three full weeks: admissions on paper, lab results transmitted by fax, patient records inaccessible.

ANSSI dispatched a team within hours. Return to normal took several months. The total cost was never published, but hospital sources mention several million euros in system reconstruction, staff overtime, and lost revenue.

Villefranche-sur-Saone Hospital (February 2021)

A few days after Dax, on February 15, 2021, the Villefranche-sur-Saone hospital fell. Same scenario: ransomware, encrypted systems, reversion to paper. The hospital had to postpone non-urgent surgical procedures and redirect some patients to other facilities.

The timing coincidence with Dax was no accident. Both attacks were attributed to the same group (Ryuk then Conti). The attackers were methodically targeting the French hospital sector, knowing that a hospital's operational pressure increases the likelihood of ransom payment.

Ramsay Sante: 120 hospitals affected (August 2019)

In August 2019, the Ramsay Sante group - France's second-largest private hospital operator with 120 facilities - was hit by the GandCrab ransomware. The attack affected the entire network: email systems, business applications, and administrative tools were paralyzed.

The incident forced staff to revert to manual procedures for several days. Remediation took weeks. Ramsay Sante never publicly disclosed the ransom demanded or whether it was paid. The scale of the attack - 120 facilities simultaneously - illustrates the concentration risk: when a hospital group centralizes its IT infrastructure, a single intrusion brings down the entire network.

Red Cross / ICRC: 515,000 vulnerable individuals (January 2022)

In January 2022, the International Committee of the Red Cross (ICRC) discovered that the data of 515,000 people in extremely vulnerable situations (prisoners of war, refugees separated from families, missing persons) had been stolen. The attack targeted a provider hosting data for the family reunification program.

Although the ICRC is an international organization rather than a French entity, the incident directly affected French citizens and highlighted the value of humanitarian and medical data to state-level attackers. The techniques used - exploiting an unpatched vulnerability at a subcontractor - are exactly the same as those observed in attacks against French hospitals.

Why Hospital IT Is Like Swiss Cheese

The accumulation of incidents in the healthcare sector is not coincidental. Five structural vulnerabilities explain why French hospitals and healthcare actors are such easy targets.

Fossil operating systems

In many French hospitals, medical equipment (MRI scanners, CT scanners, lab analyzers, patient monitors) still runs on Windows XP or Windows 7 - systems that have not received security updates since 2014 and 2020, respectively.

Why? Because the embedded software in a 1.5-million-euro MRI machine is certified for a specific operating system version. Updating it requires recertification by the manufacturer - a lengthy, costly process that is sometimes simply impossible if the manufacturer has discontinued support for the model. The result: critical machines run on systems riddled with publicly documented vulnerabilities.

ANSSI has documented this problem repeatedly. In its report on cyber threats to healthcare facilities (2023), the agency notes that the technical debt of French hospitals constitutes the primary vulnerability factor for the sector.

A laughably low IT budget

Digital technology represents an average of 1.7% of a French public hospital's operating budget, according to DGOS (Directorate General for Healthcare Provision). In industry, this ratio sits between 5 and 7%. Among tech companies, between 15 and 20%.

For cybersecurity specifically, the picture is even worse. Before the CaRE program, most public hospitals simply had no dedicated cybersecurity budget line. The CISO (when one exists) is often the CIO wearing both hats, without a dedicated budget or team.

The international comparison is instructive. The British NHS, after the 2017 WannaCry attack that paralyzed dozens of hospitals, invested 338 million pounds in a dedicated cybersecurity program. France waited for the accumulation of incidents in 2021-2022 before responding with the CaRE program.

A labyrinthine subcontracting chain

A medium-sized French hospital works with several hundred different software vendors: electronic patient records, medication management, laboratory management, medical imaging, operating room management, billing, human resources, telephony, email, and dozens of specialized business applications.

Each vendor has its own security practices - or lack thereof. Each has access to the hospital network, sometimes through permanent VPNs or high-privilege service accounts. The Dedalus Biologie case showed what happens when one link in this chain breaks.

Auditing this software supply chain is a nightmare. How many hospitals have verified that each of their vendors follows security best practices? How many have imposed contractual security clauses with regular audits? Very few. The Viamedis-Almerys leak was a reminder that health data flows between dozens of actors, and the security of the whole is only as strong as the weakest link.

24/7 operations incompatible with maintenance

A hospital never closes. The emergency department runs around the clock. A CT scanner may be needed at 3 AM for a trauma case. This operational reality makes maintenance windows extremely narrow.

Applying a security patch to a server that manages drug prescriptions means potentially cutting access for 30 minutes. Thirty minutes during which an on-call doctor cannot check drug interactions for a patient arriving in the emergency department. The immediate human risk (being unable to prescribe) outweighs the hypothetical cyber risk (a vulnerability might be exploited). It is a rational calculation, but it creates a security debt that accumulates month after month.

Attackers know this. They also know that a hospital paralyzed by ransomware will face immense pressure to pay - because lives are at stake. It is a lever attackers do not have when targeting an e-commerce site.

Healthcare staff not trained in cybersecurity

A nurse, a care assistant, a doctor: their training is about care, not detecting phishing emails. And rightly so. The problem is that these same professionals use IT tools daily (email, electronic patient records, business applications) that are all potential entry points for an attacker.

According to the CESIN 2025 barometer, phishing remains the primary attack vector with 55% of cases. In the hospital sector, where staff is under permanent pressure, the phishing click rate is among the highest across all sectors. According to Proofpoint's State of the Phish 2025 benchmarks, healthcare shows an average click rate of 18 to 22% in the absence of an awareness program. For detailed benchmarks by sector: phishing click rates by industry.

Healthcare staff are not "negligent." They are overworked, understaffed, and nobody has trained them to distinguish a legitimate email from the national health insurance from an imitation. This is an organizational problem, not an individual one.

The French Regulatory Framework for Health Data

France has a dense legal and regulatory arsenal around health data protection. The problem is not the absence of rules: it is their effective enforcement.

HDS Certification (Health Data Hosting)

Since 2018, any host of personal health data must obtain HDS certification, issued by a COFRAC-accredited body. This requirement applies to any entity that hosts health data on behalf of a third party - cloud hosts, SaaS software vendors, managed service providers.

Certification covers two scopes:

  • Physical infrastructure host: data centers, servers, storage, network
  • Managed hosting provider: operation, administration, and security of the application infrastructure

The HDS standard was updated in 2024 to integrate new requirements, notably data localization within the European Economic Area and strengthened access controls. Certification is valid for 3 years, with a mandatory surveillance audit at 18 months.

In theory, HDS certification guarantees a minimum security level for health data hosts. In practice, the audited scope is limited: certification covers the host's processes, not the application security of the software running on the infrastructure. The Dedalus Biologie case demonstrated this: the data leaked not because of the host, but because of lax data management practices at the software vendor level.

GDPR and CNIL health-specific rules

Health data receives enhanced protection under the GDPR. Article 9 classifies health data as sensitive data, whose processing is prohibited by default, with limited exceptions (explicit consent, care necessity, public interest in public health, etc.).

The CNIL has published specific standards to govern health data processing in different contexts:

  • Medical research (reference methodologies MR-001 to MR-006)
  • Medical and paramedical practice management
  • Pharmacies
  • Medical laboratories

In the event of a health data breach, the mandatory CNIL notification within 72 hours (Article 33 GDPR) applies, along with the obligation to inform affected individuals if the risk is high (Article 34). The CNIL can impose fines of up to 20 million euros or 4% of global revenue.

Sanctions in the healthcare sector remain moderate relative to these ceilings: 1.5 million euros for Dedalus, 800,000 euros for Doctissimo (health data processing without consent, 2023). But the trend is upward, and the CNIL has announced that health data is among its enforcement priorities for 2025-2026.

Mon Espace Sante (Digital Health Space)

Launched in 2022, Mon Espace Sante is the public digital service that allows every policyholder to store and share their health data: prescriptions, lab results, hospital discharge summaries, vaccination records. The goal is to replace the Shared Medical Record (DMP) and give patients control over their data.

From a cybersecurity perspective, Mon Espace Sante concentrates the health data of tens of millions of French citizens on a single infrastructure. It is a gain in terms of standardization and security control (one system to secure, rather than thousands of medical practice servers), but it is also a very high-value target. A compromise of Mon Espace Sante would be an incident of unprecedented scale.

Hosting is provided by an HDS-certified consortium. Healthcare professional authentication uses the CPS card (Professional Health Card) or e-CPS. Patient access is via France Connect or a dedicated login. The system's security relies on the strength of these authentication mechanisms - exactly the type of mechanism that failed at Viamedis and Almerys.

PGSSI-S: The Ministry's security framework

The PGSSI-S (General Security Policy for Health Information Systems) is the reference framework published by the Ministry of Health's Digital Health Delegation (DNS). It defines security requirements for health information systems: authentication, authorization, traceability, access accountability.

The PGSSI-S has been enforceable since its integration into health software certification requirements. Concretely, a vendor of medical practice management software or hospital electronic patient records must comply with PGSSI-S standards to obtain Segur digital health certification and be eligible for national health insurance funding.

The framework requires notably:

  • Strong authentication for healthcare professionals (via CPS or e-CPS card)
  • Encryption of data exchanges between professionals
  • Traceability of health data access
  • Identity and authorization management

It is an ambitious framework. But the gap between the standard and ground-level reality is considerable. How many medical practices actually use the CPS card to access their software, rather than a simple shared password among all practitioners? The question is rhetorical.

The Government Response: The CaRE Program and ANSSI on the Front Line

Faced with the accumulation of incidents, the French government eventually responded. Two axes structure this response: the CaRE program led by the Ministry of Health and operational support from ANSSI.

The CaRE program: 750 million euros for hospital cybersecurity

Announced in late 2023, the CaRE program (Cybersecurity Acceleration and Resilience for Healthcare Facilities) is the first major investment plan dedicated to cybersecurity in the French healthcare sector. Announced budget: 750 million euros over the 2023-2027 period.

The program is structured around four domains:

Domain 1 - Governance and resilience. Each healthcare facility must conduct a cybersecurity maturity audit, appoint a cybersecurity officer, and develop a business continuity and disaster recovery plan (BCP/DRP) integrating the cyber scenario.

Domain 2 - Resources and pooling. Funding for hospital groups (GHT) to pool cyber expertise across facilities, creation of shared security operations centers (SOCs).

Domain 3 - Awareness training. Training hospital staff in cybersecurity best practices. This is where phishing simulation exercises come in. The program requires facilities to conduct at least one cyber crisis exercise per year, including a phishing attack simulation. For healthcare SMBs (laboratories, clinics, service providers), phishing simulation for businesses is an accessible and measurable starting point.

Domain 4 - Operational security. Deployment of multi-factor authentication, network segmentation, regularly tested offline backups, Active Directory hardening.

Funding flows through the Regional Health Agencies (ARS): facilities that meet the defined objectives receive supplementary funding. It is an incentive-based rather than coercive mechanism. Early results are encouraging: according to the Ministry, 70% of healthcare facilities had completed at least one cyber crisis exercise by the end of 2025, up from less than 30% at the end of 2022.

The question of pace remains. Seven hundred fifty million euros over five years for the entire French hospital sector may sound ambitious. But divided among the 3,000 public and private healthcare facilities nationwide, that comes to 250,000 euros per facility per year. For a university hospital with several thousand workstations, it is a start, not a complete solution.

ANSSI: Healthcare task force and operational support

ANSSI has created a dedicated healthcare team, tasked with supporting the most exposed facilities and intervening during incidents. In practice, this means:

  • Free security audits for priority healthcare facilities (university hospitals, regional hospitals, reference centers)
  • Incident assistance: when a hospital is hit by ransomware, ANSSI dispatches a response team within hours (as at Dax and Corbeil-Essonnes)
  • Alert dissemination: when a critical vulnerability affects software used in the healthcare sector, ANSSI issues a targeted alert to facilities
  • CERT Sante: the cybersecurity incident response center dedicated to the healthcare sector, operated by the Digital Health Agency (ANS), handles incident reports and coordinates responses

In 2023, CERT Sante processed 581 incident reports affecting healthcare structures, of which 50% were classified as "major or serious." That is more than one incident per day. And this figure only counts reported incidents - many healthcare actors, particularly small structures (practices, laboratories, pharmacies), do not report the incidents they experience.

Secondary Exploitation: When Your Health Data Is Used to Phish You

This is the blind spot of the debate. There is much discussion of data theft and its direct consequences (identity theft, fraud). There is less discussion of the second wave: where stolen data is used as raw material for targeted phishing campaigns.

The typical post-Viamedis scenario

Imagine. You are among the 33 million people whose data was compromised at Viamedis. An attacker buys a batch of this data on the dark web. They know you are insured with [your insurer's name], that your social security number is [X], and that your contract covers dental and vision.

Three weeks after the breach, you receive an email:

Subject: [Your insurer's name] - Mandatory update following the Viamedis incident

Dear [your name],

Following the compromise of data at our provider Viamedis, we invite you to verify and update your bank details to ensure continuity of your reimbursements.

Your contract no. [real number] - Social security: [first 3 digits of your NIR]***

Click here to access your secure portal.

This email is fake. But it contains enough real data (insurer name, incident context, partial NIR) to appear perfectly legitimate. The recipient, who knows perfectly well that their data was stolen at Viamedis, expects to receive this type of communication. They click.

This is exactly what happened in the weeks following the Viamedis-Almerys leak. Cybermalveillance.gouv.fr issued a specific alert about phishing campaigns exploiting the breach data. The CNIL reminded people of best practices. But the damage was done: the data was in the wild, and the phishing campaigns had begun.

Why post-breach phishing is so effective

The psychology of phishing rests on cognitive biases: urgency, authority, consistency. A generic phishing email exploits these biases crudely. A phishing email built from real data exploits them with surgical precision.

When the email mentions your actual insurer, cites the Viamedis incident you saw on the news, and contains part of your social security number, your brain takes a shortcut: "This email knows my data. Therefore it is legitimate." This is the familiarity bias in action. Familiar information disarms your brain's anomaly detection system.

Result: the click rate on these targeted post-breach phishing campaigns is 3 to 5 times higher than the rate on generic phishing. According to internal data from our platform at nophi.sh, phishing simulations that incorporate specific contextual elements (company name, sector context) generate a click rate 2.8 times higher than generic scenarios.

The vicious cycle: data leads to phishing leads to more data

This is the mechanism that makes health data breaches so dangerous over the long term. Phase 1: an attacker steals health data (e.g., Viamedis). Phase 2: they use this data to build targeted phishing campaigns against the victims. Phase 3: these campaigns steal new data (banking credentials, professional passwords). Phase 4: this new data is used for further attacks.

It is an amplification loop. Each data breach feeds subsequent breaches. And health data, because it is permanent and deeply personal, is a particularly powerful accelerant of this loop.

The French Healthcare Sector in Numbers: A Massive Target

To measure the scale of the attack surface, some figures on the healthcare sector in France.

IndicatorFigureSource
Healthcare facilities (public and private)3,000+DGOS 2024
Self-employed physicians127,000DREES 2024
Community pharmacies20,500Order of Pharmacists 2024
Medical laboratories4,000Biologists' Union 2024
Healthcare sector employees1.4 millionINSEE 2024
Records in Mon Espace Sante70 millionDNS/ANS 2025
CERT Sante incident reports in 2023581CERT Sante 2023 report

Each of these actors handles health data. Each has information systems. Each is a potential entry point. And the majority - general practices, pharmacies, small laboratories - have neither a CISO, a cybersecurity budget, nor an awareness program.

International Comparison: France Is Not Alone, But Is Falling Behind

The problem of cyberattacks against the healthcare sector is not uniquely French. But France's response is lagging behind comparable countries.

United Kingdom: The WannaCry trauma

In May 2017, the WannaCry ransomware paralyzed dozens of NHS hospitals. Thousands of cancelled operations, ambulances redirected, patient records inaccessible. Estimated cost: 92 million pounds (NAO, 2018).

The response was swift and massive: creation of the NHS Digital Security Operations Centre, investment of 338 million pounds in a dedicated cybersecurity program, mandatory appointment of a cybersecurity lead at each hospital trust, and regular audits (Data Security and Protection Toolkit).

France experienced its own "WannaCry" moments (Dax, Villefranche, Corbeil-Essonnes), but the budgetary response arrived 4 to 5 years later.

United States: HIPAA and deterrent fines

In the United States, HIPAA (Health Insurance Portability and Accountability Act) has imposed specific health data security requirements since 1996. Fines for non-compliance are deterrent: up to $1.9 million per violation category per year. The Department of Health (HHS) publishes a "Wall of Shame" listing all breaches affecting more than 500 people.

This forced transparency - every incident is public, with the organization's name and the number of affected individuals - creates strong reputational pressure. In France, publicity around CNIL sanctions and breach notifications is more limited.

Germany: BSI and sector certification

Germany, through the BSI (Federal Office for Information Security), requires hospitals classified as "critical infrastructure" (more than 30,000 hospitalized cases per year) to demonstrate compliance with specific security standards (B3S Krankenhaus). This requirement has existed since 2019 and covers approximately 120 German hospitals.

What Healthcare Organizations Must Do Concretely

The findings are established. Let us move to recommendations. Here is what healthcare facilities, software vendors, service providers, and subcontractors must implement. Ranked by priority and effort-to-impact ratio.

Priority 1: Multi-factor authentication everywhere

This is the measure that could have prevented at least three of the major incidents described in this article (Viamedis, France Travail via Cap Emploi, AP-HP). MFA is not optional. Every access to health data - web portal, VPN, electronic patient records, email - must be protected by at least two-factor authentication.

The CPS card is an MFA mechanism for healthcare professionals. But it is not used for all access points. Service accounts, provider VPN access, web management portals: that is where MFA is most often missing.

Cost: virtually zero with solutions like Duo, Microsoft Authenticator, or FIDO2 keys. This is the highest cost-effectiveness ratio of any security measure.

Priority 2: Train staff on phishing

Healthcare staff are the first line of defense against phishing. They are also the least prepared. A regular phishing simulation program - monthly - can bring the click rate from 18-22% down to below 5% within 12 months.

The CaRE program already requires an annual cyber crisis exercise. But one exercise per year is not an awareness program. It is a one-off event. Lasting risk reduction requires regular simulations, micro-training triggered by failures, and tracking of metrics over time. To structure a complete program: cybersecurity training for employees, SMB guide.

In the post-Viamedis context, simulation scenarios should include emails imitating the national health insurance, supplementary insurers, and Mon Espace Sante services. These are the scenarios healthcare staff will actually encounter.

Priority 3: Segment the network

An MRI scanner running Windows XP has no reason to be able to communicate with the email server. A lab analyzer does not need internet access. Network segmentation - isolating medical equipment in dedicated VLANs, restricting traffic between segments - drastically reduces an attacker's ability to move laterally through the network after an initial intrusion.

This is one of the four pillars of the CaRE program. And one of the most difficult to implement in an existing hospital, because business applications were designed assuming a flat network. But it is essential.

Priority 4: Audit the supply chain

Every provider with access to health data must undergo a security assessment. Not a 50-page questionnaire filled out once and filed in a drawer: a real audit of security practices, with verification of HDS certification, MFA, encryption, and incident management.

Start with the essentials: do your providers properly protect their emails? A spoofed email in the name of a medical software vendor can fool any healthcare worker. Test the email security of your domain and your providers - it is free and takes 30 seconds.

The Viamedis case showed that 33 million people can be exposed by a single poorly secured provider. Third-party mapping and auditing is not a luxury - it is an obligation in practice.

Priority 5: Offline backups, tested

Ransomware encrypts everything it can reach. If your backups are on the same network as your production servers, they will be encrypted at the same time. The Dax hospital took three weeks to return to normal, partly because backups were partially compromised.

The rule: daily backups, stored offline (air gap) or on a completely isolated network, and regularly tested through restoration exercises. Too many organizations discover their backups do not work at the moment they need them.

Priority 6: Plan incident response

When ransomware strikes, it is too late to wonder whom to call. A documented incident response plan, tested through regular exercises, must cover:

  • Detection and qualification: how to identify an ongoing incident, who assesses severity
  • Containment: who decides to disconnect systems, how to switch to manual procedures
  • Notification: CNIL (72h), ARS, CERT Sante, law enforcement, affected patients
  • Forensics: evidence preservation, technical investigation (internal or external provider)
  • Crisis communication: internal (staff), external (patients, media, regulators)
  • Reconstruction: system restoration, service recovery priorities

CERT Sante provides an incident response kit tailored to the hospital sector. ANSSI offers standardized cyber crisis exercises. The tools exist. They need to be used.

For healthcare SMBs (practices, laboratories, pharmacies) that cannot afford a full response plan, the bare minimum: know whom to call (CERT Sante number: 09 72 43 91 25) and have offline backups. It is a basic safety net, but it is already better than nothing.

Healthcare Subcontractors: The Forgotten Players of Cybersecurity

We have talked extensively about hospitals. But the health data value chain does not end at the hospital walls. Software vendors, hosts, third-party payment operators, radiology practices, medical laboratories, medical equipment maintenance companies: each of these actors handles health data and constitutes a link in the chain.

It is often the weakest link that breaks.

Viamedis was a third-party payment operator. Dedalus Biologie was a software vendor. The AP-HP attack exploited a file transfer tool. Each time, the entry point was a subcontractor, not the healthcare facility itself.

For SMBs that provide services to the healthcare sector - software vendors, IT providers, consulting firms - this means cybersecurity is no longer a competitive differentiator. It is a condition for survival. A vendor that suffers a health data leak faces CNIL fines, loss of HDS certification, and the end of its commercial relationships with the hospital sector.

The first step, accessible to any SMB, is to secure attack vector number one: email. Verify that your domain has correct SPF, DKIM, and DMARC configuration. Then test your team's phishing resistance with regular simulations. Finally, document your security practices so you can respond to your hospital clients' audits.

The Special Case of Community Healthcare

Community healthcare is too often forgotten. The 127,000 self-employed physicians, 20,500 pharmacies, and thousands of nursing, physiotherapy, and dental practices: all handle health data, all use information systems, and most have no cybersecurity measures worthy of the name.

A typical French medical practice in 2026: practice management software (often outdated), a computer running Windows 10 or 11 (sometimes still Windows 7), internet access without a professional firewall, simple shared passwords among practitioners, and no offsite backup.

The doctor is not responsible for this situation. They were not trained in IT, much less in cybersecurity. Their software vendor handles (or does not handle) updates. Their "IT person" is often a friend or a local provider who visits once a year.

And yet, this practice holds health data of extreme sensitivity: diagnoses, prescriptions, lab results, clinical notes. If an attacker compromises the practice, they access information that even a breach like Viamedis did not contain (Viamedis only held "administrative" data, not medical records per se).

The CNIL has repeatedly reminded healthcare professionals of their IT security obligations. The PGSSI-S framework applies to them. But concrete support is lacking. The CaRE program primarily targets healthcare facilities, not community medicine.

Lessons for Companies Outside the Healthcare Sector

If you run a company that is not in the healthcare sector, you might think this article does not concern you. That would be a mistake.

Your employees are patients. Their health data has probably been compromised in one of the breaches described here. Thirty-three million people affected by Viamedis, 1.4 million by AP-HP, 500,000 by Dedalus. Statistically, a significant proportion of your employees is affected. This means they will receive credible phishing emails exploiting their health data. And these emails will arrive on their professional inbox as much as their personal one.

Your company health insurance generates health data. If you provide supplementary health coverage to your employees (mandatory for businesses in France since 2016), you contribute to the flow of health data circulating between insurers, third-party payment operators, and healthcare professionals. The security of that data depends on your providers, whom you have probably never audited.

The attack techniques are transferable. The vulnerabilities exploited in the healthcare sector (lack of MFA, phishing, compromised supply chain, obsolete systems) are exactly the same ones that hit SMBs in every sector. The article on what a cyberattack costs an SMB with 50 employees details the concrete consequences, sector by sector.

Preparing Your Organization: Where to Start

The list of recommendations may seem long. For organizations starting from zero (or close to it), here is a five-step action plan, in order of priority.

Step 1: Enable MFA on all critical access. Email, VPN, business applications, admin accounts. Deployment time: 1 to 5 days. Cost: virtually zero.

Step 2: Launch an initial phishing simulation. You need a baseline measurement: what is your team's current click rate? Without this measurement, you do not know where you stand. Create an account on nophi.sh and launch your first simulation in 15 minutes.

Step 3: Check your email configuration. SPF, DKIM, DMARC: these three protocols prevent attackers from sending emails that spoof your domain. Test your domain for free. If the result is not green, fix it this week - it is a DNS configuration that takes an hour. For the complete guide: SMB email security: SPF, DKIM, DMARC.

Step 4: Set up offline backups. If you do not have a tested air-gap backup, you are playing roulette with ransomware. Investment: a NAS or a dedicated cloud service (not on the same network as your production), and a quarterly restoration test.

Step 5: Audit your critical providers. Start with those who access your most sensitive data. Ask the basic questions: do they use MFA? How do they manage backups? Are they certified (HDS for health data, ISO 27001 otherwise)? Do they have an incident response plan?

The Future: More Targeted, More Sophisticated, More Automated Attacks

Phishing based on stolen health data will intensify. Three trends are converging to worsen the situation.

Generative AI powering phishing. Language models can already generate personalized phishing emails at scale, in flawless French, adapting tone and vocabulary to the medical context. Combine this capability with a database of 33 million Viamedis records, and you get phishing campaigns of unprecedented scale and precision. To learn more about evolving attack techniques: new forms of phishing: quishing, vishing, smishing.

Convergence of stolen databases. France Travail (43M), Viamedis (33M), Free (19M), Fnac-Darty (15M), SFR (3.6M)... By cross-referencing these databases, an attacker builds complete profiles of tens of millions of French citizens. The medical record is the missing piece that makes the profile exploitable for blackmail or advanced social engineering.

Expanding attack surface with medical IoT. Connected insulin pumps, glucose monitors, communicating cardiac implants, remote monitoring of chronic patients: the Internet of Medical Things multiplies entry points. Each connected medical device is an additional network node, often with unupdated firmware and unencrypted communication protocols.

Facing these trends, the healthcare sector's security posture must evolve from a reactive model (fixing after the incident) to a proactive one (preventing before the incident). The CaRE program is a first step. Regular phishing simulations, MFA, and network segmentation are the foundations. But more will be needed, faster.

A Factual Conclusion

Health data is the most lucrative target for cybercriminals. Not because French hospitals are particularly poorly protected - although they are - but because the very nature of this data (permanent, sensitive, exploitable in multiple ways) makes it a very high-value asset on criminal markets.

France accumulated a cybersecurity debt in the healthcare sector for years. The attacks of 2019-2024 - Ramsay Sante, Dax, Villefranche, Corbeil-Essonnes, Dedalus, AP-HP, Viamedis - are the direct result. The CaRE program and the 750-million-euro investment mark a turning point, but the effects will only be felt in the medium term.

In the meantime, every organization - hospital, clinic, laboratory, medical practice, software vendor, IT provider, and any company whose employees are patients - has an interest in acting now on the fundamentals: MFA, phishing simulations, backups, provider audits.

The health data of millions of French citizens is already circulating on the dark web. The question is no longer whether it will be exploited, but when and how. And the best preparation is to have teams that know how to recognize a phishing email when it arrives - because it will arrive.

Browse our French cyber incident database to find all the incidents mentioned in this article, with technical details and sources.

First concrete action: test your team's phishing resistance - first simulation in 15 minutes, no credit card required.

Related articles

Cyberattacks on French Hospitals: An Alarming Track Record (2019-2026)

From the Rouen University Hospital to the Cannes Hospital, a complete timeline of cyberattacks against French hospitals. Costs, patient impact, the role of phishing, and the government's response.

The 50 Largest Data Breaches in France (2020-2026)

From France Travail (43M) to Viamedis (33M), a complete inventory of the 50 most massive data breaches in France. Timeline, figures, affected sectors, and lessons for your business.

Viamedis and Almerys: 33 Million French Citizens Exposed by a Flaw at Two Health Insurance Processors

In February 2024, the health data of 33 million French citizens was compromised through Viamedis and Almerys. Timeline, stolen data, consequences, and lessons for businesses.