Here is a stat that should give every patient using a digital health platform pause: one breach of a single medical software supplier has exposed the records of roughly one in four people living in France. According to reporting by The Register and French broadcaster France 24, cybercriminals stole 15.8 million administrative patient files after compromising Cegedim Santé, a private software vendor that supplies technology to France's health ministry ecosystem.
The breach, which Cegedim Santé confirmed occurred in late 2025, targeted the company's MonLogicielMedical (MLM) platform. The attack targeted Cegedim's MLM software, which the company claims is used by 3,800 doctors across France, 1,500 of whom were affected. The platform allows patients to check health records electronically, communicate with their physician, and gives doctors a range of administrative features.
Approximately 165,000 of the stolen files contained notes written by doctors, which in "very limited cases" included sensitive information about an individual's medical history, such as details of conditions including HIV/AIDS and individuals' sexual orientations. Top politicians were reportedly among the individuals whose information was extracted. The stolen data is reported to have been placed for sale on the dark web, making the exposure potentially permanent for those affected.
Beyond the headline figure, the real concern is what the data actually contained. Cegedim has maintained that structured medical records, including prescriptions and biological test results, were not accessed. The company says the compromised information came "exclusively from the administrative patient file," covering names, gender, dates of birth, phone numbers, addresses, emails, and free-text administrative notes written at doctors' discretion. That distinction offers limited comfort. Free-text fields in medical software are precisely where clinicians record observations they consider important but that fall outside formal diagnostic categories. Cybersecurity expert Gérome Billois of the Wavestone consultancy described the leak as potentially "the biggest in France" in the health sector and warned it could have "irreparable consequences," telling AFP that once health information confirming a serious diagnosis is released, "you can never go back."
The accountability questions here are layered. In September 2024, Cegedim Santé was fined 800,000 euros by data protection regulators for processing health data without authorisation, in violation of France's Data Protection Act and the GDPR. That prior sanction sits uncomfortably alongside the company's current assurances of commitment to data security. Cegedim Santé has notified the incident to France's data protection regulator, the CNIL, as well as the national cybersecurity agency ANSSI and the health ministry's CERT Santé service, and has filed a criminal complaint with the public prosecutor. A Paris court inquiry for unauthorised access to an automated data processing system is under way.
Those who argue that private suppliers of public health infrastructure carry inherently systemic risk have a legitimate point. Health ministries around the world, including Australia's own, have progressively contracted out digital health functions to commercial vendors as a cost-efficiency measure. The efficiency gains are real. So, too, are the supply-chain vulnerabilities that come with them. When a single vendor's software covers 3,800 practitioners and potentially touches the records of millions of patients spanning up to 15 years of history, the blast radius of a single intrusion becomes enormous.
The counter-argument, and it is not without merit, is that centralised government IT systems are not inherently safer. France's finance ministry demonstrated this when it confirmed in February that a separate breach in January had seen attackers access the national bank account file. Around 1.2 million accounts were compromised, with account numbers, account holders' addresses, and tax identification numbers taken. Affected individuals were notified and warned to watch for phishing. The government said the attacker had impersonated a civil servant "with access rights for inter-ministerial information exchange" to gain access. Two major government-adjacent breaches in consecutive weeks points to a broader cultural and systemic problem, not a failure unique to private vendors.
For Australian readers, the parallels are direct. The Australian Digital Health Agency administers the My Health Record system, which holds clinical documents for millions of Australians through a network of healthcare providers and software intermediaries. The French case is a sharp reminder that the security of digital health infrastructure is only as strong as its weakest third-party integration. The Office of the Australian Information Commissioner received 527 data breach notifications in the second half of 2024 alone, with the health sector consistently among the most affected industries.
Getting this right requires neither blanket suspicion of digital health systems nor naive faith in vendor assurances. It requires rigorous, independently audited security standards for any third party handling protected health information, proportionate regulatory enforcement when those standards slip, and clear, timely disclosure when breaches occur. The French experience shows what happens when each of those levers fails in sequence. That is not a uniquely French problem.