Following a cyberattack in the summer, hackers managed to steal data from 1.4 million people who took Covid tests in mid-2020. A complaint was lodged and the CNIL notified.
When not hit by ransomware, hospitals also face the threat of data theft. This is what has just happened to the AP-HP which announced yesterday that it had been the victim of a cyberattack during the summer. Hackers managed to steal the data of 1.4 million people. This information relates to Covid screenings carried out in mid-2020 and includes: the identity, social security number and contact details of the people tested, the identity and contact details of the healthcare professionals taking care of them, the characteristics and the result of the test carried out. As Gérôme Billois from Wavestone said in a tweet, it is “recent, high-quality data that attracts cybercriminals to sell or fraud”.
In its communication, the AP-HP gives some clues on the cyberattack. “The theft could be linked to a recent security breach in the digital file sharing tool acquired by the AP-HP and hosted on its own technical infrastructure.” The name of the solution was not disclosed. We asked the AP-HP on this subject, which does not wish to communicate more. This service was used for the transmission of data from tests carried out by medical laboratories to the Health Insurance and to the regional health agencies (ARS). It was used “on a very ad hoc basis” in September 2020 in addition to the national screening information system (SI-DEP). The latter is not affected by data theft.
Complaint and notification to authorities
After learning of the incident, AP-HP reported it to Anssi and a notification was sent to the Cnil. In addition, a complaint was lodged with the public prosecutor of Paris. The fact remains that this case puts the issue of cybersecurity of healthcare establishments back at the heart of the debate. It comes a few months after the announcement by the President of the Republic of a national plan on cybersecurity with a focus on hospitals.
Within this plan, provision is made in particular for an increase in the budgets of health establishments. But also, “the creation of a permanent observatory on the cybersecurity of health establishments, cyber awareness in the training of health personnel, the rise of the national health cybersurveillance service”. In recent months, we have witnessed an upsurge in attacks against hospitals (the Arles University Hospital in August, but we can also mention the Oloron Sainte-Marie hospital, that of Villefranche-sur-Saône, Saint-Gaudens, Rouen University Hospital and Dax Hospital.