Cyber Incident Victim: Assistance Publique-Hôpitaux de Paris

In mid-2020, hackers breached a secure file-sharing service utilized by Paris hospitals to transmit COVID-19 testing data, resulting in the theft of personal information for approximately 1.4 million individuals tested during that period. The attack targeted a system employed in September 2020 to share contact tracing information with various health authorities, rather than the central national testing database. Hospital officials confirmed the cyber attack on September 12, 2021, and filed a formal complaint with the Paris prosecutor's office that same day. The compromised data included full names, social security numbers, contact details, and test results of tested individuals, along with the names and contact information of associated healthcare professionals. Hospital authorities emphasized no additional medical records beyond COVID test results were accessed or exfiltrated during the incident.

The Paris hospital organization immediately notified France's National Commission on Informatics and Liberty (CNIL) and the National Agency for the Security of Information Systems (ANSSI) about the breach. CNIL launched a formal investigation into the data protection violations following the disclosure. Affected individuals were scheduled to receive direct notifications about the compromise in the days following the September 12 announcement. France's health ministry separately announced its intention to file a legal complaint to fully investigate the breach's origins, consequences, and necessary preventive measures. The incident exclusively impacted individuals tested in the Paris region during mid-2020, with no evidence suggesting broader national testing data was compromised through this attack vector.