France's Largest Medical Breach: 15.8 Million Patient Records Stolen from a Cloud Server
Hackers stole 15.8 million patient files and 165,000 doctor notes from Cegedim Santé's MonLogicielMedical cloud platform in early 2026, confirmed on March 3. The company had already been fined €800,000 by France's CNIL in 2024 for mishandling health data on the same system.
VaultTools · April 7, 2026
Photo on Unsplash
Table of Contents
- What happened
- What the attackers took
- A regulator that already knew
- Why server-side document storage creates this risk
- What local processing changes
- Sources
What Happened
On March 3, 2026, French health software company Cegedim Santé confirmed that attackers had breached MonLogicielMedical, its cloud-hosted practice management platform used by approximately 3,800 doctors across France. The breach had been reported by France24 on February 27, 2026, but Cegedim’s official confirmation came days later.
The incident is now documented as the largest healthcare data breach in European history. No ransomware group has publicly claimed responsibility. Cegedim Santé notified the CNIL, France’s data protection authority, and stated that an investigation was underway.
What the Attackers Took
According to reporting by The Register and SC Media, the attackers exfiltrated two categories of data.
The first category is administrative patient records: 15.8 million files containing names, dates of birth, social security numbers, and insurance data for patients whose doctors used MonLogicielMedical.
The second category is 165,000 free-text clinical notes written by physicians. These notes contained diagnoses including HIV status, psychiatric conditions, and sexual orientation data. Under GDPR Article 9, all three categories qualify as special-category data requiring explicit consent to process.
CPO Magazine noted that the exposed records included files belonging to politicians and security officials whose medical histories were among the free-text notes.
A Regulator That Already Knew
The CNIL had issued a formal warning about Cegedim Santé’s data handling practices before the breach occurred. In September 2024, the authority fined the company €800,000 for unlawfully processing health data on the MonLogicielMedical platform, specifically for retaining patient data beyond permitted periods and for failing to implement adequate security measures.
That fine did not prevent the breach. It confirmed that the CNIL had audited the same system, identified serious deficiencies, and issued a financial penalty, yet the underlying architecture remained in place. The breach followed within approximately 18 months.
Why Server-Side Document Storage Creates This Risk
MonLogicielMedical operated as a centralized cloud platform. Doctors uploaded patient notes and administrative files to Cegedim’s servers. The company retained and processed those files on its infrastructure. When the infrastructure was compromised, 15.8 million patient records and 165,000 clinical notes were exposed in a single incident.
This is the structural risk of server-side document storage: every file uploaded to a third-party server becomes part of that server’s attack surface. A single breach of the vendor’s infrastructure exposes every document from every user who trusted the platform. The user has no control over what happens after upload, no visibility into the security posture of the server, and no way to limit the blast radius if the server is compromised.
The Cegedim breach is not an anomaly. It follows Progress ShareFile (CVE-2026-2699, CVE-2026-2701), the Conduent document processing breach affecting 25 million Americans, and the ShinyHunters intrusion into European Commission AWS infrastructure. In each case, the vulnerability was not the document itself but the server holding it.
What Local Processing Changes
Browser-based tools that process files locally, without uploading them, eliminate this category of risk entirely. If a file is never transmitted to a server, it cannot be stolen from a server. Encryption at rest, access controls, and security audits on vendor infrastructure become irrelevant because no vendor ever receives the file.
The technical mechanism is straightforward. Tools built on WebAssembly compile their processing logic to run inside the browser. When a user opens a PDF, compresses an image, or converts a document, the computation happens on their device. No bytes leave the browser. No server holds a copy.
Cegedim Santé was audited, fined, and warned. The architecture that put 15.8 million records at risk remained in place because the business model depended on centralized storage. Local processing tools have no such dependency.
Sources
- Hackers steal medical details of 15 million in France (France24, February 27, 2026)
- 15.8M medical records stolen from French health ministry supplier (The Register, March 3, 2026)
- French healthcare software provider Cegedim Santé suffers major data breach (SC Media)
- Centralized Healthcare System Data Breach Leaks Medical Records of 15 Million French Citizens (CPO Magazine)
- Health data: CEGEDIM SANTÉ fined €800,000 (CNIL, September 2024)