Hack of French medical software exposed data on up to 15 million patients, including doctors’ private notes

A major French health-tech company says hackers broke into a widely used medical software platform and accessed patient data on a staggering scale, up to 15 million people. While the company insists full medical charts weren’t taken, it acknowledges something potentially more explosive: some files included doctors’ free-text notes that can reveal deeply personal details.

The breach hit Cegedim Santé’s “MLM” software, used by thousands of physicians across France. French health authorities have opened an investigation, and the country’s privacy watchdog, roughly France’s version of a combined FTC-style privacy regulator and data-protection authority, has been notified as the government demands urgent fixes.

A late-2025 intrusion, traced to unusual activity on doctors’ accounts

Cegedim says it detected the attack in late 2025 after spotting abnormal application requests tied to physician accounts using MLM. In plain terms, that’s the kind of pattern security teams often associate with automated scraping, someone using legitimate accounts (or stolen credentials) to pull unusually large volumes of data.

The company says it locked down access, filed a criminal complaint, and reported the incident to France’s data-protection authority, the CNIL (Commission Nationale de l’Informatique et des Libertés), which enforces Europe’s strict GDPR privacy rules.

Cegedim’s wording matters: it says patient data was “consulted or illegally extracted.” “Consulted” could mean unauthorized viewing without mass copying; “extracted” implies data was pulled out and duplicated. Either way, samples of the data have circulated online, according to the report, including administrative details for roughly 300,000 patients, only a small portion of which appeared to include medical or private information.

How big is the blast radius? 15 million patients, 1,500 doctors

MLM is used by about 3,800 doctors in France, Cegedim says. The company estimates roughly 1,500 of those physicians, nearly 40%, were affected in some way.

That doesn’t necessarily mean 1,500 accounts were all “cleanly” looted, but it raises a familiar question for cybersecurity experts: how much can one compromised account see? If access controls are too broad, a single stolen login can open far too many doors.

In many medical offices, software like MLM isn’t just a scheduling tool. It can bundle identity and contact information, billing and insurance exchanges, and internal comment fields that staff use differently from office to office. That’s where the company’s “administrative-only” framing starts to wobble.

What was exposed: names, birth dates, contact info, and a ready-made phishing kit

The headline number is the one that lands hardest: up to 15 million patients had “administrative” data exposed. That includes name, sex, date of birth, phone number, home address, and email address.

On their own, those data points can look routine. Together, they’re a turnkey package for identity theft and highly targeted scams, especially messages that impersonate a doctor’s office, an insurer, or a government health agency. With a real name, birth date, and address, criminals can craft outreach that feels unnervingly legitimate and gets more people to click.

And the risk doesn’t fade quickly. Even if the intrusion happened months ago, much of this information stays valid for years. People change phone numbers, but not birth dates. And a compromised email account can become a gateway to other services.

The most sensitive piece: doctors’ free-text notes that can stigmatize patients

Cegedim also acknowledged a more delicate exposure: free-text “comment” fields that, for a smaller number of patients, contained personal annotations written by doctors. These aren’t structured medical records like lab results or formal diagnoses, the company says, but they can still include sensitive information because they’re written in plain language.

Observers who reviewed leaked material described notes that could touch on diagnoses, sexual orientation, or religion. Even when those notes aren’t part of a standardized medical chart, they can be more damaging precisely because they’re blunt, contextual, and sometimes judgmental, words that were never meant to leave a clinical setting.

France’s Health Ministry highlighted a risk of sensitive-data exposure for about 164,000 people. That figure underscores a key point: not everyone faces the same harm. For many, the danger is fraud and phishing. For others, a leaked note could fuel harassment, discrimination, or blackmail, even if the note is inaccurate or poorly phrased.

Patients want clarity, and doctors are stuck in the middle

For patients, the immediate question is simple: “Was I affected, and what exactly was in my file?” Patient advocates in France have long criticized breach notifications that feel vague or incomplete, especially when free-text notes are involved. A patient can’t guess what a doctor typed into an internal comment box years ago.

For physicians, the breach lands as a professional and personal gut punch. Doctors are legally bound by medical confidentiality, but they rely on software vendors and hosting providers to secure the systems. When a vendor gets hit, clinicians can end up explaining to patients that they didn’t leak anything, yet their tools were compromised.

The Health Ministry has demanded urgent corrective measures. That typically means tightening access controls, forcing password resets, improving session monitoring, and adding alerts for unusual query volumes. But the breach also exposes a less glamorous vulnerability: everyday “cyber hygiene” in small practices, where shared computers, weak authentication, or recycled passwords can turn a single mistake into a major incident.

What this means for digital health in France, and beyond

The case comes after a string of cyberattacks on the health sector in France, including dozens of hospitals in recent years. What stands out here is the target: not a giant hospital system, but a software vendor used in everyday outpatient care, closer to the patient, and potentially capable of exposing millions of records in one hit.

Regulators will likely scrutinize whether Cegedim’s security measures were proportionate, how quickly the company detected the intrusion, and how it handled the response under GDPR rules. On the ground, medical practices will push for concrete safeguards: better logging, rate limits to prevent mass extraction, stronger authentication, and tighter segmentation so one compromised account can’t vacuum up huge datasets.

The breach also reignites a debate that U.S. health systems know well: free-text fields. Clinicians need room to capture context, but unstructured notes can become a privacy landmine when they’re not tightly governed. The challenge is to guide and protect that information, through better design, encryption, access controls, and monitoring, without turning documentation into an unusable checklist.