It is an email which is reassuring but which caused perplexity and a feeling of helplessness among the French who received it last week. The Assistance publique-Hôpitaux de Paris (AP-HP) has confirmed a “personal data breach” involving 1.4 million people. Confidential data from anti-Covid tests carried out in the summer of 2020 were hacked into a file storage and sharing service managed by the public establishment.
→ READ. Covid tests: Paris hospitals victims of health data theft
Along with people’s names, date of birth, social security number, and postal and numeric contact, this information can be used for false identities or phishing. The AP-HP indicates that, apart from the result of the screening, no other medical data was leaked. As soon as the flight was confirmed, service was cut off and complaints were filed. So far, the stolen information does not appear to have been used, but it was indeed briefly accessible on a download platform hosted in New Zealand.
Too little cybersecurity in healthcare facilities
However, this modern day hacking is happening more and more regularly. At the end of August, it was Francetest, a third-party platform, not validated by the health department but used by pharmacists for its practicality, which presented security flaws leaving virtually free access to the data of 700,000 French people screened.
Even outside Covid-19, attacks are increasing against health structures. In 2020, 27 cyberattacks “ major “Targeted hospitals, had identified Cédric O, the Secretary of State for the digital transition. ” Hospitals have long had other priorities than cybersecurity and did not believe in the threat », Lamented at the beginning of September the director of the National Agency for the security of information systems (Anssi), on the occasion of the international cybersecurity forum in Lille.
Beware of phishing
While efforts are therefore expected from establishments and practitioners, patients themselves have little means of preventing this type of problem, linked to the transmission of their information between health structures. The Cnil, the digital policeman, nonetheless recalls a few points of vigilance to be had.
Already, there is no point in trying to find out if you have been the victim of the hack. If you are unfortunately concerned, the organization or the company which finds the fault is required to warn you. Putting your name, address or other on a website to know if you have been stolen only increases the risk of encountering hackers.
→ EXPLANATION. Health pass: are our personal data safe?
Then, be particularly attentive to the emails and SMS received, by checking each time the email address or the number of the sender. ” Do not open attachments, reply to message, or view links ”In the event of a suspicious message, recalls the CNIL.
If your GP sends you a link by SMS to find your prescription for your medications when you weren’t expecting anything, don’t click. Ditto if a (fake) Social Security email suddenly asks you for money to be paid within 24 hours through a Paypal account. If in doubt, call the usual number, not the one listed at the end of the email.