»
www.theregister.com/2021 ··· weekend/»
www.liberation.fr/checkn ··· DLTDZBU/ -- source article (in French), partially behind paywall
quote:
Here in France, we've just experienced the country's biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn't even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it. Up to 60 fields of personal data per patient are now blowing around in the internet winds. Full name, address, email, mobile phone number, date of birth, social security number, blood group, prescribing doctor, reason for consultation (such as "pregnancy", "brain tumour", "deaf", "HIV positive") and so on – it's all there, detailed across 491,840 lines of plain text. According to an investigation by daily newspaper Libération, warning signs that something was afoot were first reported on 12 February in a blog by Damien Bancal at security outfit Zataz. Some dark web spivs began discussing in Turkish-language channels on Telegram about how to sell some medical records stolen from a French hospital. Some of them then tried independently to put the data on the market and got into an argument that spilled over into Russian-language channels. One of them, it seems, got pissed off and decided to take revenge by posting an extract of the data publicly. This was rapidly spread around Telegram's other lesser spivlet channels and soon afterwards ended up being shared on conventional social media. A closer look at the file reveals that it didn't come from a hospital after all. It turns out the various dates on the patient records refer not to doctors' appointments but to when patients had to submit a test specimen: in other words, the data is likely to have been stolen from French bio-medical laboratories conducting the specimen analysis. Further probing by Libé revealed that the hack may relate to data stored using a system called Mega-Bus from Medasys, a company since absorbed into Dedalus France. Dating back to 2009, Mega-Bus hasn't been updated and laboratories have been abandoning it for other solutions over the last couple of years. No patient records entered into these newer systems can be found in the stolen file, only pre-upgrade stuff entered into Mega-Bus, apparently. This has led to much conjecture as to when and where the breach might have taken place.
Regards
