French healthcare technology company Cegedim suffered a major cyberattack in late 2025 that compromised personal data of approximately 15 million patients, authorities confirmed Wednesday. Hackers exploited vulnerabilities in the company’s widely-used medical software to steal names, addresses, and in some cases sensitive medical notes including disease diagnoses and personal information.
The breach targeted Cegedim’s “Mon Logiciel Médical” (MLM) software, a widely-used medical practice management system, with 1,500 of 3,800 medical professionals using the platform directly impacted, the company disclosed. The intrusion remained undetected for months before Cegedim’s security teams identified “un comportement anormal” on the platform and filed a complaint with the Paris prosecutor on October 27, 2025.
The breach only became public this week when France 2 first reported the incident, prompting immediate confirmation from both Cegedim and the Ministry of Health. According to Le Monde, one of the hackers has already placed a sample of the stolen data online and offered the complete database for sale on a forum, claiming it contains information on 19 million patients, higher than official estimates.
Severity of Compromised Information
While administrative data including names, phone numbers, and addresses was exposed for the vast majority of victims, approximately 169,000 patients faced a far more severe breach. For this subset, hackers accessed free-text medical notes that contained highly sensitive details about specific diseases including AIDS, patient sexuality, and personal circumstances such as having family members in prison, according to news outlets reviewing the data.
Cybersecurity experts warned that the permanent nature of medical data makes it particularly valuable for criminals, who can leverage it for targeted phishing attacks, medical identity fraud, and extortion campaigns for years to come. The breach establishes a direct link between patients and their doctors, creating long-term privacy risks.
The Paris prosecutor’s office has launched a formal investigation for “atteintes à un système automatisé de données,” assigning the case to its specialized cybercrime brigade. The Ministry of Health issued a formal demand requiring Cegedim to implement immediate corrective security measures.
Experts consider this potentially the largest health data breach in French history, exposing what they describe as systemic under-investment in cybersecurity across the healthcare sector. Cegedim has secured the compromised access points and notified the French data protection authority (CNIL), though the full consequences for the company and affected individuals remain to be determined.
Sources
- Le Monde
- France Info
