Cyber Incident Victim: France
Date:
Nov 2024
Location:
France
Summary
A cyberattack targeting a French healthcare facility compromised the electronic patient records of approximately 750,000 individuals after threat actors gained unauthorized access to the MediBoard platform using stolen credentials. The attackers, operating under the alias 'nears,' claimed to have breached multiple hospitals managed by a single entity, exploiting a privileged account within the client's infrastructure to access sensitive data including full names, birthdates, addresses, medical prescriptions, and health card histories. While the software provider confirmed no vulnerability in their system, the exposed records were offered for sale, heightening risks of phishing, fraud, and social engineering attacks against affected patients. The incident underscores the impact of credential compromise across interconnected healthcare networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 19, 2024, a cyberattack was detected at an unnamed French hospital using the MediBoard electronic patient record (EPR) system developed by Softway Medical Group. A threat actor using the alias 'nears' (previously known as near2tlg) claimed responsibility for breaching multiple healthcare facilities in France, asserting access to records of over 1.5 million patients. The attacker specifically targeted MediBoard by compromising a privileged account within the hospital's infrastructure, exploiting stolen credentials rather than a software vulnerability or misconfiguration in the MediBoard platform. Softway Medical Group confirmed the breach, clarifying that the compromised account was managed by the hospital and not under their direct control, with no evidence of flaws in their software implementation or human error on their part. The attacker attempted to sell access to five hospitals—Centre Luxembourg, Clinique Alleray-Labrouste, Clinique Jean d'Arc, Clinique Saint-Isabelle, and Hôpital Privé de Thiais—advertising the ability to view and modify healthcare data, billing information, patient records, and appointments. To substantiate their claims, the threat actor listed for sale the records of 758,912 patients from the breached hospital, containing full names, dates of birth, genders, home addresses, phone numbers, email addresses, physician details, prescriptions, and health card histories. No buyers were publicly declared for the data at the time of reporting, though the exposure created risks of phishing, scamming, and social engineering attacks against affected individuals.
Subsequent analysis revealed all five targeted hospitals belonged to a single entity, Aléo Santé, explaining how the compromise of one privileged MediBoard account provided access to multiple facilities. The data exposed was hosted locally by the hospital rather than by Softway Medical Group, which reiterated that the breach stemmed from credential theft unrelated to its software’s security posture. The threat actor’s advertisement included functionalities to manipulate medical records and appointments, though no evidence confirmed such actions occurred beyond initial access. While the data had not been sold or leaked publicly by November 21, 2024, the incident highlighted systemic risks associated with centralized access management across healthcare networks. The exposure of sensitive health information, including prescription histories and contact details, elevated privacy concerns for 750,000 patients, with potential long-term consequences for identity theft and medical fraud. Softway Medical Group and the affected hospitals coordinated incident response efforts, but no containment measures or remediation steps were disclosed in available reports.