Cyber Incident Victim: Hospices Civils de Lyon

On or around June 16, 2023, a cybersecurity incident involving the Hospices Civils de Lyon (HCL) was reported. The breach was not initially discovered by HCL itself but was instead brought to their attention by one of their external service providers. This provider notified HCL that a secure platform it operated for the purpose of transferring data had been compromised by hackers. The attack was characterized by HCL as being part of a larger, widespread cyberattack that had affected numerous organizations, institutions, and companies both within France and internationally, suggesting the incident was not an isolated event targeting HCL specifically but rather a broader campaign.

The investigation into the incident determined that the compromised system was not part of the internal information technology infrastructure of the Hospices Civils de Lyon. The hospital group's own IT systems were confirmed to have remained entirely unaffected by the attack and experienced no operational disruptions or malfunctions as a result. The breach was confined solely to the external vendor's secured transfer platform. This delineation meant that core hospital operations, including patient care systems and internal networks, were not impacted.

The data stolen in the attack consisted solely of individual identification details pertaining to HCL professionals. According to the official statement released by the Hospices Civils de Lyon, the hacked files did not contain any medical information, financial data such as bank coordinates, or passwords. The compromised data was limited to elements that could be used to identify the staff members, though the specific types of identifying information were not detailed in the public communications. The scope of the data theft was confined to employee information and did not extend to any patient records.

Upon being notified by their vendor of the security breach and the theft of their employees' data, the Hospices Civils de Lyon promptly initiated a formal response. The organization filed a legal complaint with the authorities, marking the start of a judicial process. An investigation into the matter was subsequently opened and is being conducted by the judicial police. In parallel with the criminal complaint, HCL also performed a mandatory notification to the Commission Nationale de l'Informatique et des Libertés (CNIL), France's national data protection authority, in compliance with data breach reporting regulations. Notifications were also made to other competent authorities.

A key component of the hospital group's response was the commitment to transparency with the affected individuals. The Hospices Civils de Lyon publicly stated that all persons impacted by this data theft had been directly informed of the incident. This action was taken to ensure that the concerned professionals were aware of the event and could remain vigilant. The public communications from HCL emphasized that their internal systems were secure and that no medical or financial data was involved, likely to provide reassurance and mitigate concern among both staff and the public. The incident highlights a growing trend where third-party vendors and service providers represent a potential vulnerability point for large organizations, even when their own internal defenses remain intact. The response undertaken by HCL followed a standard protocol for such events, encompassing legal, regulatory, and internal communication steps.