Public hospitals in Paris were the victims of a large-scale cyberattack.
The personal data of around 1.4 million people, who tested for Covid-19 in Île-de-France in mid-2020, were stolen "following a computer attack".
The Assistance publique-Hôpitaux de Paris (AP-HP) lodged a complaint on Wednesday.
The stolen data includes "the identity, social security number and contact details of the people tested", as well as "the identity and contact details of the healthcare professionals taking care of them, the characteristics and the result of the test carried out", but do not contain "any other medical data".
Read alsoCyberattacks: hospitals, a prime target for "unethical hackers"
This attack was "conducted during the summer and confirmed on September 12," said the AP-HP in a statement, ensuring that those concerned "will be informed individually in the coming days".
A security flaw in the digital tool
The hackers did not target the national file of screening tests (SI-DEP) but "a secure file sharing service", used "very occasionally in September 2020" to transmit to Health Insurance and agencies regional health authorities (ARS) information "useful for
contact tracing
".
Read also Cyberattacks: "Criminals never lack victims," laments a Kaspersky researcher
The institution recognizes that "the theft could be linked to a recent security flaw in the digital tool" that it uses for file sharing, according to initial investigations.
They "are continuing to determine the origin and modus operandi of this attack," the statement said.
Access to this service "was immediately cut off pending the end of the investigations."
The facts were also reported to the National Commission for Informatics and Freedoms (Cnil) and the National Information Systems Security Agency (Anssi).