Massive data breach at French medical software firm exposes 15 million patients

Cegedim, a major French provider of medical software, has suffered a large-scale cyberattack that led to the leak of personal data belonging to approximately 15 million people — including politicians and candidates in France’s presidential race.

The breach, detected at the end of 2025, involved unauthorised access to one of the company’s databases. Of the roughly 3,800 doctors using Cegedim’s software, about 1,500 were affected. Those practitioners were contacted in early January and advised to inform the relevant authorities about the potential data exposure, French media reports.

Although the company described the scale of the incident as limited and stated that the attackers have not made contact or issued ransom demands, French health officials have raised serious concerns about the sensitivity of the compromised information.

Hackers reportedly gained access to patients’ personal details, including names, gender, age, and contact information. More troublingly, they also accessed doctors’ “free administrative comments” contained within medical records. According to the Ministry of Health, these comments were stored in approximately 169,000 files and could include highly sensitive information related to HIV status, sexual orientation, religion, and suicidal ideation.

The French Ministry of Health has launched a formal investigation into the incident, as authorities assess the full scope of the breach and its potential implications for patient privacy and national political security.

By Sabina Mammadli