Breaches

French Health Ministry Software Supplier Breached — 15.8 Million Patient Records Stolen Including Doctors' Notes on HIV and Sexual Orientation

Zero Day Wire

03 Mar 2026 — 2 min read

Attackers breached Cegedim Santé, a software supplier to France's health ministry, stealing approximately 15.8 million administrative patient files — including 165,000 containing free-text notes written by doctors that in some cases documented HIV/AIDS status, sexual orientation, and other sensitive medical history.

The breach, confirmed in late 2025, targeted Cegedim's MonLogicielMedical (MLM) platform, which is used by 3,800 doctors across France for electronic health records, patient communication, and administrative management. Approximately 1,500 doctors were affected.

Top French politicians were reportedly among the individuals whose information was extracted.

What Was Stolen

The stolen administrative files contained:

Full names and genders
Dates of birth
Telephone numbers and email addresses
Home addresses
Doctors' free-text notes — 165,000 files containing clinical observations, with "very limited cases" including sensitive medical history such as HIV/AIDS diagnoses and sexual orientation

The exposure of doctors' notes is particularly damaging. Unlike structured medical data fields, free-text clinical notes can contain any observation a physician deemed relevant — creating an unpredictable scope of sensitive information exposure that goes far beyond typical PII breaches.

Third-Party Supply Chain Compromise

The attack targeted the software supplier rather than the health ministry directly — a supply chain compromise that gave attackers access to patient data aggregated across 1,500 medical practices through a single breach point.

Cegedim stated it is cooperating with relevant authorities and expressed commitment to "the fight against cybercrime and data protection." The French health ministry did not respond to requests for comment.

France Under Sustained Attack

This breach follows a separate incident disclosed on February 18 where attackers accessed France's national bank account file (FICOBA), which contains details of every bank account in the country. In that attack, the perpetrator impersonated a civil servant with inter-ministerial information exchange access rights, stealing details on approximately 1.2 million accounts including account numbers, holders' addresses, and tax identification numbers.

Two major government-adjacent data breaches within weeks — one targeting healthcare, the other financial infrastructure — suggests France is facing either a coordinated campaign or is being treated as a target-rich environment by multiple threat actors.

Defender Recommendations

Healthcare software vendors should treat themselves as high-value targets and implement zero-trust access controls around patient data stores
Medical practices using MLM should notify affected patients and monitor for targeted phishing using stolen personal details
Affected individuals should be vigilant for social engineering attempts that reference specific medical information to appear credible
Organizations managing sensitive free-text data should evaluate whether clinical notes require additional encryption-at-rest protections beyond standard database security
Third-party risk assessments for healthcare suppliers should specifically evaluate how patient data is aggregated across practices and what controls prevent bulk extraction

Google Attributes Axios npm Supply Chain Attack to North Korean UNC1069, Links Backdoor to WAVESHAPER Evolution

Google has formally attributed the Axios npm supply chain attack to UNC1069, a North Korean threat cluster tracked by Mandiant and Google's Threat Intelligence Group since 2018. The attribution, confirmed by GTIG chief analyst John Hultquist, links the compromise of the JavaScript ecosystem's most popular HTTP

CISA Orders Emergency Patch for Actively Exploited Citrix NetScaler Flaw Resembling CitrixBleed (CVE-2026-3055)

CISA has issued an emergency patching directive for a critical Citrix NetScaler vulnerability that is already being exploited in the wild to hijack administrator sessions on exposed appliances. The agency added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog on Monday and ordered all Federal Civilian Executive Branch agencies to secure

Axios Supply Chain Attack Delivers Cross-Platform RAT to Millions After npm Maintainer Account Hijacked

A coordinated supply chain attack targeting the Axios npm package has delivered a cross-platform remote access trojan to developer workstations and CI/CD environments worldwide, after an attacker hijacked the lead maintainer's npm credentials and published two backdoored releases to the official registry. The attack, executed in the

RedLine Infostealer Administrator Extradited to US, Faces Up to 20 Years for Running MaaS Infrastructure

Armenian national Hambardzum Minasyan has been extradited to the United States for his alleged role in maintaining RedLine's command-and-control infrastructure, managing affiliate payments, and distributing the infostealer — one of the most prolific credential-stealing operations since 2020.