Cyber Incident Victim: Polyclinique du Cotentin
Date:
Nov 2023
Location:
France
Summary
The Polyclinique du Cotentin suffered a cyberattack involving data encryption and prolonged system unavailability, claimed by the Lockbit group, which also exfiltrated patient and staff data from a central file server. Despite the intrusion, clinical operations remained unaffected with no care cancellations or compromises to patient safety. The clinic promptly notified regional health authorities, CERT-Santé, and data protection regulators, filed a police complaint, and engaged its IT provider for system recovery. Affected individuals are being notified of the personal data breach, though no misuse has been confirmed. Security enhancements are being implemented during system reconstruction to address evolving cyber threats, building upon existing regional health security standards met prior to the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 16, 2023, Polyclinique du Cotentin experienced a cyber intrusion that encrypted its information system data and caused prolonged system unavailability. The Lockbit criminal group claimed responsibility for the attack, threatening to publish exfiltrated data they had downloaded. Despite the encryption and system disruption, clinical operations continued without cancellations of consultations, examinations, or surgical procedures, with all patients receiving care meeting required quality and safety standards. The facility immediately notified the Normandy Regional Health Agency (ARS), CERT-Santé (the health sector cybersecurity support service), and France’s National Data Protection Commission (CNIL). Their IT managed services provider, AXIANS, assisted in identifying the incident’s root cause and restoring systems, while the clinic filed a police report for data theft.
Subsequent investigation confirmed attackers had exfiltrated data from the clinic’s file centralization server, compromising information belonging to patients and staff. Polyclinique du Cotentin initiated individual notifications to affected parties under Article 33 of the GDPR, coordinating with CNIL throughout the breach disclosure process. No evidence of data misuse had been identified at the time of reporting, though the clinic warned recipients to remain vigilant for potential phishing or fraud attempts exploiting the stolen information. The organization emphasized that its systems had met multiple ARS security standards prior to the attack but acknowledged the need for continuous security improvements given evolving cyber threats. Technical security measures were being integrated during the ongoing system reconstruction, treating the incident as an opportunity to strengthen defenses. The clinic maintained communication through a dedicated email address ([email protected]) for breach-related inquiries while reaffirming its commitment to mitigating consequences through immediate and long-term security enhancements.