French regional healthcare agencies have reported cyber-attacks that compromised patient identity data across three regions—Hauts-de-France, Normandy, and Pays de la Loire. The incidents, disclosed on September 8, 2025, show how attackers targeted servers hosting patient identity records from public hospitals in these regions.

TL;DR

Three French regional healthcare agencies suffered cyber-attacks exposing patients’ personal identity data, including names, ages, phone numbers, and email addresses. While no medical information was leaked, the main concern is a rise in phishing attempts. Investigations confirmed attackers gained access by impersonating healthcare professionals and exploiting regional e-health systems.

What Happened

• Hauts-de-France ARS confirmed that exposed data included names, ages, phone numbers, and email addresses.
• No healthcare or medical records appear to have been leaked.
• Compromised accounts were disabled, and stronger security measures were put in place.
• Normandy ARS noted repeated intrusion attempts over time, showing persistence from the attackers.

How Attackers Gained Access

The breaches occurred through impersonation of healthcare professionals.

• Attackers used unauthorized access to professional accounts to enter systems managed by regional e-health development support groups (GRADeS).
• GRADeS provide shared digital healthcare services such as telemedicine, records access, and administrative platforms.

For example:

• Normand’e-Santé, the GRADeS for Normandy, oversees 43 digital services, including Therap-e, a telehealth platform for remote consultations and emergency appointments.
• Cybersecurity expert Damien Bancal (Zataz) suggested that attackers scraped patient identity data from these systems.
  

The immediate concern isn’t hospital disruption but phishing risks.Stolen identity details can be exploited to create convincing scams through email, calls, or SMS.Hauts-de-France ARS reminded patients that healthcare staff and institutions will never request sensitive data like bank details, social security numbers, or passwords through these channels. 

Next Steps

• Pays de la Loire ARS will notify all potentially affected patients.
• Normand’e-Santé filed reports with CNIL, France’s data protection authority.
• Formal complaints have also been submitted to law enforcement for investigation.

Key Takeaways

• Regions affected: Hauts-de-France, Normandy, and Pays de la Loire.
• Data exposed: Names, ages, phone numbers, and email addresses (no medical records).
• Attack method: Impersonation of healthcare professionals and exploitation of GRADeS systems.
• Risks: Increased phishing attempts targeting patients.
• Response: Accounts disabled, CNIL notified, and patients to be informed.

Bottom line: This incident highlights the growing risks in digital healthcare systems. Even if medical data stays safe, identity leaks can fuel phishing campaigns, making vigilance critical for patients and healthcare professionals alike.