Cegedim santé confirms 15.8 million patient records exposed in breach

Cegedim Santé confirmed that attackers illegally accessed roughly 15.8 million administrative patient records held in its MonLogicielMedical (MLM) software, a breach the company says was detected in late 2025 and for which it filed a criminal complaint in October 2025. France24/AFP and The Register reported the figure and said the leak affected software used by about 3,800 doctors, with roughly 1,500 practitioners impacted.

Company statements attributed to Cegedim say the intrusion was identified after what it described as "abnormal application query behaviour" and that patient data stored within MLM had been illegally accessed or extracted. Cegedim said the incident "has been contained," that only administrative records were affected, that structured medical files remain intact, and that it is "supporting its clients and their patients as much as possible" and will "fully cooperate with the authorities," according to reporting by Brussels Times and France24/AFP.

Independent media examinations of the leaked repository report a narrower but consequential exposure inside the administrative set. The Register and France24/AFP cite that between 165,000 and 169,000 free-text doctor notes were included in the leaked material. France2, which media say accessed an openly available database, reported examples of explicit entries such as "HIV-positive," "veiled Muslim mother," and "son in prison," according to Cybersecurity-review and Anadolu Agency attribution cited by that outlet. France24/AFP said the presence of annotations that reveal sensitive conditions means the breach could carry long-term harm to individuals.

Gerome Billois, a cybersecurity expert at consultancy Wavestone, told AFP that the leak could be "the biggest in France" in the health sector and warned of "irreparable consequences." He said, "Once health information that says: 'You have AIDS' or 'You have such and such a disease' is released, you can never go back," as quoted by France24/AFP.

The incident has prompted political and regulatory scrutiny. Health Minister Stéphanie Rist has asked Cegedim Santé to explain causes, outline corrective measures, and provide guarantees to prevent further leaks, Brussels Times reported citing AFP. The national data protection authority CNIL had not immediately commented, the Brussels Times said. Cegedim has notified prosecutors and filed a complaint; it has not published a detailed technical forensic timeline in public reporting to date.

The Cegedim episode is unfolding amid other high-profile data compromises in France. Reporting by France24 and The Register noted a separate finance ministry incident in which attackers consulted around 1.2 million national bank account records, an event the ministry disclosed on February 18, 2026. Separately, Cybernews researchers told Techdigest they found an unprotected dataset of some 45 million records across multiple sectors; that aggregation is presented by those researchers as a separate discovery and is not confirmed to be the same repository tied to MLM.

Policy implications are immediate. The breach highlights third-party vendor risk within the health system, gaps in protection of free-text clinical notes, and potential failures in notification and oversight. Regulators, parliamentary committees and local health authorities will need forensic evidence to determine whether technical controls, certification rules for health software, or stronger breach-notification mandates must change to restore patient trust and limit downstream harms such as targeted fraud and discrimination.