Hack of French medical software may have exposed data on up to 15 million patients, officials say

A cyberattack on a widely used French medical software system may have exposed personal data tied to as many as 15 million patients, roughly the population of Pennsylvania, triggering a government investigation and a growing backlash over how little patients have been told.

The breach targeted Cegedim Santé, a private company that sells a practice-management and electronic records tool called MLM. The intrusion was detected in late 2025, and authorities say patient information was illegally accessed or pulled out, then reportedly advertised in online resale spaces. Exactly how much data leaked remains disputed, but the potential scale is enormous.

A private vendor at the center of a public trust crisis

MLM is used by about 3,800 customers in France, according to information released about the incident. Investigators have identified about 1,500 doctors whose accounts or environments were affected.

That doesn’t mean “the entire French health system” was hacked. But it doesn’t have to be. A single primary-care office can hold thousands of patient files, plus years of archived records. Multiply that by 1,500 practices and the numbers can quickly balloon into the millions.

Cegedim says it detected abnormal activity in late 2025, then moved to secure access, filed a criminal complaint, and notified France’s privacy regulator, the CNIL, France’s counterpart to a mix of the FTC and state privacy enforcers, with GDPR-level powers to investigate and fine.

France’s Health Ministry emphasized that Cegedim is a private contractor and the “data controller” responsible for handling the information. Politically, that draws a line between the state and the vendor. For patients, it’s a distinction without much comfort: health data is still health data, whether it sits in a public hospital system or a private doctor’s office software.

How many patients were exposed? The numbers are contested, and that’s part of the problem

Media estimates have put the number of potentially affected patients between 11 million and 15 million. A hacker has claimed an even larger trove, up to 19 million records. Meanwhile, spot checks cited in reporting found administrative data for roughly 300,000 patients, with only a limited amount of medical information appearing in that sample.

The uncertainty is fueling anxiety. Patients can’t easily infer whether they’re impacted based on whether their doctor used MLM, and many doctors say they don’t have the technical visibility to give quick, confident answers.

One detail raised in the reporting underscores the murkiness: a supposedly massive file was said to contain only about 150,000 unique email addresses. That gap could point to duplicates, incomplete fields, or multiple databases stitched together, none of which makes the risk disappear, but all of which makes it harder to measure and respond to.

What leaked: identity data, and, in some cases, sensitive medical notes

Much of what’s described so far is “administrative” data: names, dates of birth, addresses, phone numbers, and other identifiers. In the U.S., that’s the kind of information that can power identity theft, account takeovers, and highly targeted scams.

The stakes rise sharply when health context is attached. A scammer who knows you’re a patient at a medical practice can convincingly impersonate a doctor’s office, an insurer, or an appointment service and pressure you to hand over documents, banking details, or login credentials.

Even more alarming: some exposed files may include physician-written annotations, free-text notes that can contain deeply personal information. Reported examples suggest some notes may reference sensitive topics such as religion or sexual orientation.

A preliminary estimate cited in the reporting suggests about 165,000 people could be affected by the leak of sensitive information, including medical details. Even if that’s a fraction of the total, it’s enough to raise concerns about discrimination, reputational harm, and blackmail.

Investigations underway: Paris prosecutors, cybercrime police, and France’s privacy watchdog

French judicial authorities have opened an investigation in Paris, with specialized cybercrime units involved and oversight by the Paris prosecutor’s office, roughly analogous to a major U.S. city’s federal-style prosecutorial apparatus for complex cases.

On the regulatory side, CNIL has been notified. Under Europe’s strict privacy rules, notification is required, but it doesn’t end the story. Regulators can scrutinize security controls, access management, incident response, and whether safeguards should have prevented large-scale extraction in the first place.

Patient advocacy group France Assos Santé has criticized what it calls insufficient transparency, arguing that patients still have few practical ways to learn whether their data, or sensitive notes about them, were part of what leaked.

What patients can expect next, and what this means for digital health

For patients, the most immediate threat is targeted phishing: messages that look like they’re from a clinic or insurer, using real personal details to sound legitimate. The next layer is identity fraud built on accurate biographical data. The hardest risk to quantify is stigma or personal harm if intimate medical details circulate without context.

For doctors, the breach highlights a familiar bind: clinicians are responsible for patient trust and medical confidentiality, but they rely on software ecosystems they don’t fully control. Stronger passwords and multi-factor authentication can help at the practice level, yet much of the security burden sits with vendors and hosting providers.

The bigger implication is one American readers will recognize from U.S. hospital hacks: healthcare is racing to digitize, but the security and communication playbooks often lag behind. When patients can’t get a straight answer about what leaked and whether they’re affected, the damage isn’t just technical, it’s a slow erosion of trust that’s hard to rebuild.