In 2021, bioassay laboratories were the target of a massive hack of medical data. Which affected nearly 400,000 Breton patients. Two years later, this data is still circulating on the Internet. And victims are exposed to phishing campaigns. The explanations.
“I don’t click on anything. Everything I don’t know goes in the trash!”. Ever since his personal information was hacked, Philippe has been inundated with emails as well as text messages and phone calls.
Last name, first name, date of birth, mailing address, email address, phone number, social security number, medical information continues to circulate on the Internet. Like those of the 400,000 Bretons who were victims of a health data breach in 2021, following the hack that targeted several French laboratories. Including Océalab, in Vannes, where Philippe’s medical file is located.
In the wake of this affair, revealed at the time by Liberation and the specialist blog Zataz, the Vannetais created a private Facebook group. “to prevent and provide information to people affected by this hack” he explains. The group is still active because, according to its founder, “We have to be extra careful and vigilant. Identity theft is our worst nightmare.”.
Philippe has become more suspicious and keeps asking himself. “Our data was dumped on the dark web anyway, which makes us an ideal target for all kinds of scams. he said. It’s nothing. It is even disturbing. Since every administrative procedure is carried out in a dematerialized way or almost, whether it is for the renewal of our identity cards, our health declarations, we have the right to ask ourselves questions about the security of our personal data.”.
This Dedalus affair, named after the company that markets software solutions for medical analysis laboratories and which has since been fined 1.5 million euros, “A strong impact in terms of emotional charge, observes Gwenn Feunteun, cyber security expert in Rennes. Because leaks of medical data enter the intimate sphere and that a social security number, for example, is considered a sensitive element by the CNIL, the national commission for data processing and liberties”..
Acceis co-founder notes that data was hacked in labs in 2021 “are always easily accessible online”. No need to search the dark web to find them. “Just go to some forums” notes Gwenn Feunteun, who noticed the Dedalus files recently. “It will never end, he warns. As long as the data is online, it stays there. Either in the form of the initial file or they are integrated into other lists which themselves integrate them into other lists. it’s endless”.
What are the victims of this massive hack exposed to? “The social security number is an identification that you have for life, the cyber security expert points out. It is a gateway for hackers who will try to access the Ameli account through a phishing email or sms campaign, encouraging people to click on a link to change their password. This link refers to a password recovery page. The hacker then accesses everyone’s personal space, modifies bank details to recover money for medical reimbursements.”.
The messages sent are ultra-personalized as hackers have enough private elements to trick the recipient. Example: “Since your last examination, carried out on such date and such place, we have been able to notice a defect in your vital card, please click on this link”. Or: “Your new life card is available, fill out this form to stay covered”.
“Of the 500,000 people who had their medical records leaked, I bet a lot of people will click on the link, says Gwenn Feunteun. From the moment we make people believe, where we make them believe that the message is individual, when it is a mass attack in disguise, the danger is real..