TL;DR:
- 15.8 million French patient records stolen from Cegedim Santé, a health software provider used by 3,800 doctors
- 165,000 records contained doctors' free-text notes revealing HIV status, sexual orientation, mental health conditions, and psychiatric diagnoses
- Politicians and security officials exposed: High-profile individuals' medical files were among those stolen
- CNIL fined Cegedim €800,000 in September 2024 for illegally processing health data, 16 months before this breach
- The company filed a criminal complaint in October 2025 but the breach only became public in late February 2026
- Attack vector: MonLogicielMedical platform used by 1,500 of the 3,800 doctors on the system
What Was Stolen
Hackers accessed Cegedim Santé's MonLogicielMedical (MLM) platform sometime in 2025 and made off with 15.8 million administrative files. The company detected the intrusion in late 2025 and filed a criminal complaint in October.
The stolen data included:
- Standard patient data: Full names, genders, dates of birth, phone numbers, home addresses, email addresses
- Social Security numbers: French national identification numbers that can't be changed
- The dangerous part: 165,000 files containing doctors' free-text clinical notes
Those clinical notes are where it gets ugly. Doctors write their observations in free-text fields: diagnoses, symptoms, personal details patients share in confidence. According to The Register, the leaked notes included records revealing "conditions such as HIV/AIDS and individuals' sexual orientations" as well as mental health conditions and psychiatric treatments.
The breach affected patients of 1,500 out of 3,800 doctors using the MonLogicielMedical platform. Politicians and French security officials were reportedly among those whose records were compromised.
The Company CNIL Already Caught
Here's what makes this breach worse: France's data protection authority already caught Cegedim Santé mishandling health data.
On September 5, 2024, CNIL fined Cegedim Santé €800,000 for three violations:
- Illegal health data processing: The company claimed it anonymized patient data before sharing it for research. CNIL investigators found the data was only pseudonymized, meaning patients could be re-identified "by reasonable means."
- No authorization: Under French law, processing health data requires explicit CNIL authorization. Cegedim never got it.
- The "HRi" teleservice problem: Patient data was automatically downloaded into computerized files without explicit consent.
CNIL's investigation began in 2021. The company collected detailed health information (birth year, allergies, medical history, diagnoses, prescriptions, sick leave records) and linked them to unique patient identifiers. This let Cegedim reconstruct individual healthcare pathways. They called it a "doctor observatory" for research purposes.
The regulator called it illegal.
Sixteen months after that fine, the same company lost 15.8 million records to hackers.
Timeline of a Slow-Motion Disaster
- 2021: CNIL opens investigation into Cegedim Santé data practices
- September 5, 2024: CNIL fines Cegedim €800,000 for illegal health data processing
- Late 2025: Hackers breach MonLogicielMedical platform
- October 2025: Cegedim files criminal complaint (but doesn't go public)
- February 27, 2026: France24 reports the breach publicly
- March 3, 2026: Cegedim confirms 15.8 million records compromised
Four months passed between the criminal complaint and public disclosure. The company said it was "cooperating with the relevant authorities in the ongoing investigation." Meanwhile, 15.8 million patients didn't know their records were in hackers' hands.
The Doctor's Notes Problem
The 165,000 files with free-text notes are the real nightmare here.
When you tell your doctor something in confidence, it often goes into a notes field. Your fear that you might have an STI. Your struggle with depression. The medications you're embarrassed about. The conditions you haven't told your family about.
Doctors don't think about these notes as potential breach material. They're medical shorthand. But when hackers get them, they become leverage. Blackmail material. Discrimination vectors. Insurance problems.
For the politicians and security officials in the breach, the exposure risk is higher. Medical records can end careers. They can be used for intelligence purposes. A foreign government knowing a minister's mental health history or HIV status is a national security issue.
France's Healthcare Data Problem
This isn't France's first major medical data breach. The country has a centralized health data system that makes it an attractive target.
In 2024, two hospital data breaches affected over 30 million French citizens. In February 2021, a breach at medical testing labs exposed data on roughly 500,000 people.
The pattern: France centralizes health data for efficiency, creates honeypots for hackers, and learns nothing when they get hit. Cegedim Santé was already on CNIL's radar for mishandling data. They continued operating. Now 15.8 million people pay the price.
What French Patients Should Do
If you've seen a doctor in France who uses MonLogicielMedical or MLM software:
- Check if your doctor is affected: Ask your healthcare provider directly if they use Cegedim Santé systems and if your records were in the breach
- File a CNIL complaint: Under GDPR, you can complain to CNIL about the breach and the company's handling of it. Visit cnil.fr/fr/plaintes
- Monitor for identity theft: Your Social Security number and personal data are now in criminal hands. Watch for suspicious activity.
- Watch for extortion: If your records contained sensitive medical information, be prepared for potential blackmail attempts
- Request data access: Under GDPR Article 15, you can demand Cegedim tell you exactly what data they held on you
When Fines Don't Fix Anything
CNIL's €800,000 fine in 2024 was supposed to send a message. Cegedim Santé was caught processing health data illegally. They were ordered to comply with GDPR.
Sixteen months later, they lost 15.8 million records.
The fine was a rounding error. Cegedim Group, the parent company, had revenues of €592 million in 2023. An €800,000 fine is 0.13% of annual revenue. Less than a parking ticket, proportionally.
GDPR allows fines up to 4% of global revenue. That would be €23.7 million for Cegedim Group. CNIL chose €800,000. The company continued operating exactly as before.
The breach proves what critics have argued for years: GDPR fines are too small and too rare to change corporate behavior. The same dynamic plays out in the US, where a single contractor exposed 26 million Americans' Medicaid data after the government handed it their records. Companies calculate the risk of a fine versus the cost of real security and privacy compliance. The math usually favors taking the risk.
Sources
- The Register - French Medical Leak Exposes 15.8M Records
- CNIL - Health data: CEGEDIM SANTÉ fined €800,000
- France24 - Hackers steal medical details of 15 million in France
- European Data Protection Board - French SA fined CEGEDIM SANTÉ EUR 800,000
- DataBreaches.net - Hackers steal medical details of 15 million in France
Published: March 19, 2026