Attackers compromised MonLogicielMedical, a web-based practice management platform built by French healthcare software vendor Cegedim Santé, and extracted administrative records for approximately 15.8 million patients — the largest confirmed medical data breach in French history. Among the stolen files were free-text doctor annotations for at least 165,000 individuals, some containing HIV status, sexual orientation, and other highly sensitive personal disclosures. The Cegedim Group, the Paris-listed parent company behind the affected subsidiary, reported over €649 million in revenue for 2025 and employs nearly 6,500 people across more than ten countries.
France has experienced a cascade of serious data incidents in early 2026, but the Cegedim Santé breach stands apart in scope and sensitivity. The story broke publicly on the evening of February 26, 2026, when broadcaster France 2 reported during its 20h newscast that it had accessed an openly available database containing health information on millions of French patients. The records were verified: individuals contacted by France 2 journalists confirmed their personal details were accurate. By the following morning, February 27, French Health Minister Stéphanie Rist had publicly disclosed the incident via social media. What followed was a rapid unraveling of a supply chain attack that had apparently been underway since late 2025 — one that Cegedim Santé had filed a criminal complaint over in October 2025, months before the public learned anything had happened.
What Was Compromised and How It Was Discovered
Cegedim Santé is a subsidiary of the Paris-listed Cegedim Group, which provides software and data services to the healthcare and insurance sectors. The affected product is MonLogicielMedical (MLM), a cloud-based practice management system that allows physicians to manage patient records, handle scheduling, issue prescriptions, and communicate with patients remotely. According to Cegedim Santé, approximately 3,800 doctors in France were using MLM at the time of the breach, and roughly 1,500 of those practices were directly affected.
The company says it first detected the intrusion when it observed what it described as "abnormal application request behaviour on user doctor accounts" in late 2025. An internal investigation confirmed that patient data held within MLM had been illegally accessed or extracted. In terms of scope, Cegedim Santé put the total at 15.8 million administrative files. Within that set, between 165,000 and 169,000 records contained free-text annotations written by doctors — fields designed for personal clinical notes that fell outside the system's structured medical record fields.
The data exposed across the full 15.8 million records included patient full names, gender, dates of birth, telephone numbers, postal addresses, and email addresses. For the subset containing doctor annotations, the exposure was far more consequential. France 2's investigation reported finding entries referencing HIV-positive status, sexual orientation, family circumstances such as a parent's incarceration, and religious practice. According to Germany-based reporting by France Info, the stolen data also included references to patients' suicidal thoughts and addiction history. The French Ministry of Health confirmed these disclosures, noting that around 169,000 patients had sensitive personal notes included in the leaked material. Top politicians and senior civil servants were reportedly among the affected individuals.
"The information involved comes exclusively from patients' administrative records: name, first name, gender, date of birth, phone number, address, email, and administrative notes in free text at the discretion of the doctors. For a very limited number of patients, these notes may have contained personal annotations from the doctor concerning sensitive information." — Cegedim Santé, official press release, February 26, 2026
Cegedim was careful to draw a distinction between the compromised administrative layer and the deeper structured medical records within MLM. The company stated that prescriptions, biological examination results, and structured clinical records remained intact. Whether that framing holds under regulatory scrutiny remains an open question: free-text fields containing HIV diagnoses and sexual orientation disclosures are unambiguously special category data under the GDPR, regardless of where they technically sit within a system's data model. The Health Ministry itself acknowledged it does not have full visibility over the extent of the administrative data for all 15 million people in the leaked databases.
The Supply Chain Vector: How Attackers Got In
This incident illustrates the defining characteristic of a third-party software supply chain attack: the adversary did not target the French health ministry directly. Ministry infrastructure was not breached. State systems were not penetrated. Instead, attackers identified and exploited a private software vendor that processed health data on behalf of thousands of practitioners — essentially using the vendor's platform as a bridge to patient records at scale.
Cegedim Santé has not released a detailed forensic timeline of the breach, and French authorities had not publicly confirmed a specific attack vector as of mid-March 2026. The Paris prosecutor's office opened a formal investigation on November 3, 2025, for offenses against an automated data processing system, with the Brigade de lutte contre la cybercriminalité (BL2C) assigned to the case. What Cegedim has confirmed is that the intrusion manifested as abnormal query behavior on physician accounts inside the MLM application layer — a pattern consistent with either compromised credentials or exploitation of an application vulnerability.
"Investigators have not yet confirmed the attack vector, but based on what's been reported, the breach likely stemmed from either an unpatched software vulnerability or a targeted phishing campaign — two of the most common entry points in healthcare incidents. Until Cegedim Santé and the French Health Ministry release more forensic detail, we can only assess it through the lens of typical healthcare attack patterns." — Damon Small, Board of Directors, Xcape (via CPO Magazine)
One element that raises particular concern is the format of the exposed data. According to CPO Magazine, the doctor annotations found in the breach were stored in clear-text format — meaning no encryption layer stood between an attacker with database access and the raw content of every note. For a system handling data explicitly classified as sensitive under GDPR Article 9, the absence of field-level encryption on free-text clinical notes represents a significant design gap, regardless of how the initial access was obtained.
Cegedim's Prior Security History: MOVEit and the CNIL Fine
The 2026 incident is not the first time Cegedim has been at the center of a data security event, nor is it the company's first encounter with French regulatory authorities over data handling.
In June 2023, the Cl0p ransomware group listed Cegedim (the parent company, not the Santé subsidiary specifically) among its victims in the global MOVEit Transfer campaign. Cl0p exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's file transfer product, compromising over 2,700 organizations and exposing data on approximately 93.3 million individuals worldwide. According to LeMagIT, Cl0p published more than 1.5 terabytes of compressed data attributed to Cegedim. The company did not publicly comment on the incident at the time. DPO Partage, which published the most detailed French-language analysis of the 2026 breach, noted that no source has confirmed or denied a direct link between the 1.5 terabytes exfiltrated by Cl0p in 2023 and the database published by DumpSec in 2026. That open question matters: if any portion of the MLM data was initially accessed via the MOVEit compromise and later resold or repackaged, the attack timeline would extend far beyond what has been publicly disclosed.
On September 5, 2024, the CNIL fined Cegedim Santé €800,000 for processing health data without authorization. CNIL investigators, following controls carried out in 2021, determined that data collected through Cegedim's "observatory" — a panel of approximately 2,000 doctors using the Crossway software product who voluntarily contributed patient data for research purposes — was pseudonymous rather than anonymous. Patient data included year of birth, gender, allergies, medical history, diagnoses, prescriptions, and analysis results, all linked to a unique patient identifier that made re-identification technically feasible. The CNIL found that Cegedim Santé had operated what amounted to an unauthorized health data warehouse in violation of Article 66 of the French Data Protection Act. Cegedim Santé appealed the decision to the Conseil d'État, which rejected the appeal on February 13, 2026 — just 13 days before France 2 broadcast the news of the 2026 breach. The ruling, which also confirmed related sanctions against GERS and Santestat bringing the group's total regulatory liability to €1.8 million, constitutes a definitive judicial confirmation of the CNIL's position. CNIL will be assessing the 2026 breach with that ruling freshly on the record.
The convergence of the 2023 MOVEit exposure, the 2024 CNIL fine, and the 2026 MLM breach paints a picture of a vendor that has been the subject of repeated security and compliance concerns over a compressed period. While these are legally distinct events, the regulatory context is cumulative: CNIL will be assessing the 2026 breach with full knowledge of its prior enforcement action against the same company.
DumpSec, BreachForums, and the Disclosure Timeline
The threat intelligence dimension of this breach involves a cybercriminal group operating under the name DumpSec. On February 26, 2026, VECERT threat monitoring systems flagged a claim posted to BreachForums in which DumpSec stated it had personally extracted the Cegedim database. The group has been linked to prior attacks targeting French entities, including an incident involving a branch of France's Ministry of Sports. In the BreachForums post, DumpSec claimed to hold approximately 65 million data entries — a figure substantially larger than the 15.8 million the French Ministry of Health confirmed. An independent verification by a researcher using the pseudonym SaxX reportedly authenticated at least 22 million entries from the dataset.
| Source | Claimed Record Count | Basis |
|---|---|---|
| Cegedim Santé (press release) | 15.8 million | Internal investigation |
| French Ministry of Health | ~15 million | Vendor-reported figures |
| SaxX (independent researcher) | 22 million verified | Dataset authentication |
| DumpSec (threat actor) | 65 million claimed | BreachForums post |
The actor who spoke to France 2 claimed to have alerted Cegedim to the breach without receiving any response. Cegedim directly contradicted this account in its press release: "Furthermore, Cegedim was never contacted by the cybercriminal." That dispute is unresolved. The initial public posting of the data on BreachForums was removed after France 2's broadcast aired, but a separate listing attributed to DumpSec offering the full database for sale remained active according to reporting by Next.ink and MacGeneration at the time of writing.
The disclosure timeline itself is one of the breach's most troubling elements. Cegedim Santé filed a criminal complaint in October 2025. The company says it notified CNIL and informed affected doctors in January 2026. Yet the 15 million people whose records were circulating on the dark web were not informed until France 2 published its investigation at the end of February 2026 — at minimum four months after Cegedim detected the intrusion. French law requires controllers to notify the CNIL within 72 hours of becoming aware of a personal data breach under GDPR Article 33. Individual notification obligations under Article 34 apply when the breach is likely to result in high risk to individuals — a threshold that free-text notes containing HIV status, sexual orientation, and family situation clearly meet.
The Ministry of Health's position was to distance the state from responsibility, stressing the private vendor's role as data processor:
"This breach is not the result of a failure in the ministry's systems, nor of infrastructure directly under State control." — French Ministry of Health statement, February 27, 2026 (via AFP)
Regulatory and Government Response
French Health Minister Stéphanie Rist — a Renaissance party politician who has served in the role since October 12, 2025, under Prime Minister Sébastien Lecornu — made a public statement via social media on February 27, 2026, the morning after France 2's broadcast. Rist formally requested that Cegedim Santé provide a full account of the technical causes of the breach, the corrective measures adopted, and guarantees that a recurrence would not occur. The ministry's position was explicit: responsibility lay with the private vendor, not with state infrastructure.
CNIL, France's data protection authority, had not issued a public statement as of mid-March 2026, though Cegedim confirmed it had notified the regulator. Given CNIL's prior enforcement history with the same company, a formal investigation and potential sanctions proceeding is a credible near-term development. Under GDPR, fines for violations involving special category data — which health information and sexual orientation explicitly are — can reach four percent of global annual turnover or €20 million, whichever is higher. For context, the Cegedim Group reported revenue exceeding €649 million in 2025, which would place a theoretical maximum GDPR fine at approximately €26 million.
The Cegedim Santé breach is unfolding alongside two other significant French data incidents. On February 18, 2026, the Finance Ministry disclosed that attackers had accessed approximately 1.2 million records from FICOBA, France's national bank account registry — a centralized state-managed database operated by the tax authority (DGFiP) that tracks nearly 300 million bank accounts belonging to roughly 80 million individuals. The breach was accomplished using compromised civil servant credentials to access an inter-ministerial data sharing system. Exposed data included IBANs, account holder names, addresses, and in some cases tax identification numbers. Separately, Cybernews researchers reported finding an unprotected database containing around 45 million French records spanning demographic, healthcare, and financial categories — though that dataset has not been conclusively linked to the MLM breach by authorities.
The convergence of these incidents in a compressed timeframe has intensified scrutiny of France's approach to healthcare data governance. The MLM platform, as a centralized cloud system used across thousands of practices, concentrated patient records from a large portion of the French population behind a single vendor's security perimeter. According to the Cegedim Group's press release, the MLM database contained patient records dating back as far as 15 years, which explains the unusually high volume of affected individuals relative to the number of active practices. When that perimeter failed, the blast radius was not one practice but 1,500.
Why Healthcare Software Is a Prime Supply Chain Target
Healthcare software vendors occupy a structural position that makes them disproportionately attractive targets. A single platform used by thousands of practices aggregates patient data at a scale no individual clinic could produce. The vendor becomes a force multiplier: compromise the software, access the patients. That calculus is well understood by sophisticated threat actors and financially motivated cybercriminal groups alike.
Medical data commands premium prices in underground markets for reasons that extend beyond simple identity theft. Health records enable targeted insurance fraud, pharmaceutical scams, and blackmail. Records containing HIV status, sexual orientation, or mental health history are particularly exploitable because the potential harm of exposure — discrimination in employment, insurance denial, social stigma, relationship damage — creates strong coercive leverage. The data France 2 found in the leaked MLM database, with annotations referencing HIV-positive patients and same-sex orientation, sits precisely in this high-value, high-harm category.
French cybersecurity professionals have pointed to systemic underinvestment in security across the healthcare software sector as a contributing factor. Software publishers that serve medical practices are subject to certification requirements, but the enforcement of technical security standards within those frameworks has historically lagged behind the sophistication of attacks. Free-text fields containing what amounts to Article 9 special category data stored in clear text is a concrete example of that gap.
The supply chain framing also matters for how organizations think about their own risk exposure. A physician practice that implemented MLM reasonably assumed it had outsourced data management to a specialist vendor with appropriate security controls. The breach demonstrates that third-party vendor risk is not theoretical — it is the attack surface through which patient data flows out of the healthcare system and into criminal hands. Vendor due diligence, contractual security requirements, and continuous monitoring of third-party access are not optional elements of a healthcare security program; they are the perimeter.
Affected patients in France are advised to treat incoming communications with heightened suspicion. The combination of full name, date of birth, address, email, and telephone number in the exposed dataset is sufficient to construct convincing phishing messages impersonating health insurance bodies (Assurance Maladie), pharmacies, or general practitioners. Individuals who suspect they may have been patients of a practice using MLM software should monitor their health insurance communications and report suspicious contact to the official French fraud reporting service, cybermalveillance.gouv.fr.
Key Takeaways
- Supply chain attacks scale damage exponentially. Attackers did not need to breach 1,500 medical practices individually. Compromising one software vendor's application layer was sufficient to reach the patient records of an estimated 15 to 22 million people, depending on whose count is used.
- Free-text fields are a hidden GDPR liability. Clinical systems routinely allow physicians to enter unstructured notes. When those notes contain special category data — health conditions, sexual orientation, religion — and are stored without field-level encryption, they represent an exposure far greater than the structured record fields that typically receive security attention.
- The notification gap is significant and likely to face regulatory scrutiny. Cegedim filed its criminal complaint in October 2025. Affected patients learned of the breach through a television broadcast in late February 2026. That timeline raises direct questions about GDPR Article 34 compliance, and CNIL's next steps will define whether France enforces notification requirements with meaningful consequence.
- Threat actor claims diverge substantially from vendor figures. Cegedim acknowledges 15.8 million records. DumpSec claims 65 million. An independent researcher verified 22 million. Until forensic analysis is complete and public, the true scope remains uncertain — and the version patients are being told may be the most conservative estimate available.
- France's concurrent breach cluster signals systemic exposure. The FICOBA bank registry breach and the 45-million-record dataset discovered by researchers, both surfacing within weeks of the Cegedim incident, suggest that France's interconnected government and healthcare data infrastructure faces coordinated or opportunistic pressure across multiple fronts simultaneously.
- Prior incidents compound regulatory risk. The 2023 Cl0p/MOVEit data exfiltration involving the parent Cegedim Group and the 2024 CNIL fine against Cegedim Santé itself create a documented pattern of recurring security and compliance concerns. The Conseil d'État dismissed Cegedim Santé's appeal of that fine on February 13, 2026 — 13 days before the breach became public — making the sanction final. CNIL will evaluate the 2026 breach with a definitive judicial ruling against the same company freshly on the record.
The Cegedim Santé breach will likely be cited for years as a case study in why third-party vendor risk management is a core healthcare security function rather than a procurement afterthought. The data is out. The investigation is active. The regulatory reckoning has not yet arrived — but the Conseil d'État's dismissal of Cegedim Santé's CNIL appeal on February 13, 2026, just days before the breach became public, means CNIL enters any new enforcement proceeding with a final judicial ruling already on the record. What happens next in the CNIL enforcement track — and whether France's health ministry moves to impose stronger technical standards on certified health software vendors — will determine whether this incident produces structural change or becomes another unacted warning in a long list of them.
Sources: The Register, France 24 / AFP, CPO Magazine, SC Media, TechRadar, The Connexion, Prism News, CNIL, DPO Partage, Cegedim Santé official press release (PDF), Cegedim Santé supplementary press release, Conseil d'État decision n° 498628 (Feb. 13, 2026), Anadolu Agency, Posteo / France Info, LeMagIT.
Frequently Asked Questions
How many patients were affected by the Cegedim Santé breach?
Cegedim Santé confirmed that 15.8 million administrative patient records were compromised. The threat actor DumpSec claims 65 million data entries, and independent researcher SaxX verified at least 22 million. The French Ministry of Health confirmed that approximately 169,000 patients had sensitive doctor annotations included in the leaked data.
What data was exposed in the Cegedim Santé MonLogicielMedical breach?
The breach exposed patient full names, gender, dates of birth, telephone numbers, postal addresses, and email addresses across the full 15.8 million records. For approximately 165,000 to 169,000 records, free-text doctor annotations were also exposed, some containing HIV status, sexual orientation, family circumstances, and religious practice.
Who is behind the Cegedim Santé cyberattack?
A cybercriminal group operating under the name DumpSec claimed responsibility for the attack on BreachForums on February 26, 2026. DumpSec has been linked to prior attacks on French organizations including a branch of the Ministry of Sports. The Paris prosecutor's office opened a formal investigation on November 3, 2025, with the Brigade de lutte contre la cybercriminalité (BL2C) assigned to the case.
What should affected patients do after the Cegedim Santé breach?
Affected patients should treat all incoming communications with heightened suspicion, as the exposed data is sufficient to construct convincing phishing messages impersonating health insurance bodies, pharmacies, or doctors. Individuals should monitor health insurance communications for suspicious activity and report any suspicious contact to the official French fraud reporting service at cybermalveillance.gouv.fr.
Has CNIL fined Cegedim Santé before?
Yes. On September 5, 2024, the CNIL fined Cegedim Santé 800,000 euros for processing pseudonymous patient data without proper authorization. Cegedim Santé appealed the fine to the Conseil d'État, which dismissed the appeal on February 13, 2026 — 13 days before the breach became public — making the sanction final and judicially confirmed.