A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic patient record system.
A threat actor using the nickname ‘nears’ (previously near2tlg) claimed to have attacked multiple healthcare facilities in France, alleging that they have access to the patient records of over 1,500,000 people.
The hacker claims they breached MediBoard by Software Medical Group, a company offering Electronic Patient Record (EPR) solutions across Europe.
Softway Medical Group has confirmed that hackers have compromised a MediBoard account. However, it noted that this was not the result of a software vulnerability or misconfiguration on their part, but rather through the use of stolen credentials used by the hospital.
In a letter sent to French media and shared with BleepingComputer by LeMagIT’s editor-in-chief, Valéry Rieß-Marchive, Softway Medical Group says the exposed data was not directly managed by them, but rather hosted by the hospital.
“On November 19, 2024, a cyberattack was detected within a healthcare facility using the Mediboard software,” reads the machine-translated email.
“We want to emphasize that the affected health data were not hosted by Softway Medical Group.”
BleepingComputer contacted Softway Medical Group for clarifications on which account and at what level was compromised, and a spokesperson shared the following statement:
“We can confirm that our software is not responsible, but rather, a privileged account within the client’s infrastructure was compromised by an individual who exploited the standard functions of the solution,” the Softway Medical Group told BleepingComputer.
“This hypothesis has been substantiated. It is therefore neither due to improper implementation of the software nor human error.”
Selling access to hospitals
This all unfolded after the threat actor began selling what they claimed was access to the MediBoard platform for multiple French hospitals, including Centre Luxembourg, Clinique Alleray-Labrouste, Clinique Jean d’Arc, Clinique Saint-Isabelle, and Hôpital Privé de Thiais.
This access allegedly would let the buyer view the hospitals’ sensitive healthcare and billing information, patient records, and the ability to schedule and modify appointments or medical records.
To prove that they gained access to the MediBoard accounts, the hacker also put the records of 758,912 patients from an unnamed French hospital up for sale.
These records allegedly contain the following information:
- Full name
- Date of birth
- Gender
- Home address
- Phone number
- Email address
- Physician
- Prescriptions
- Health card history
The data was offered for purchase to three users, and currently, no buyers have been declared on the sale listing.
Even if the data isn’t sold, there’s always a risk of being leaked online for free, making it available to the broader cybercrime community.
The type of data exposed in this incident raises the risk of phishing, scamming, and social engineering for impacted people.
Update 11/21: BleepingComputer has learned that all of the affected hospitals belong to a single entity, Aléo Santé, which explains how the threat actor got access to all of them by compromising one privileged MediBoard account not in Softway’s direct control.
