Leak at Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie
A September 2025 cyberattack on regional health-identity platforms used by several French Regional Health Agencies (ARS) exposed patient identity data; an attacker claimed roughly 35 million patient records across 130+ public hospitals, later offered for sale by the DumpSec group.
- Victim
- Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie
On 22 October 2025, a data leak affecting several French Regional Health Agencies (Agences Régionales de Santé, ARS) — the public bodies that steer the regional healthcare system — was publicly surfaced by security researchers. The exposure stemmed from a cyberattack carried out in early September 2025 against shared regional health-identity platforms (including the Inéa Santé Numérique Hauts-de-France infrastructure) used to manage patient identity across public hospitals.
The attacker claimed access to the patient identity data of roughly 35 million people spanning more than 130 public hospitals, with the ARS of Hauts-de-France, Normandie, Pays de la Loire, Île-de-France and Auvergne-Rhône-Alpes among those referenced. The Hauts-de-France ARS confirmed a breach of patient identity data while stating that no medical-record contents were stolen and that hospital operations were not disrupted.
Data categories reported as exposed include:
- Full identity (name, surname, sex, date of birth)
- Social security / national health identifiers (NIR / INS)
- Contact details and addresses
- Administrative care-pathway information
The intrusion was initially attributed to an actor operating under the name "Marak," who first framed the database as a trophy rather than a commodity. The dataset later resurfaced in the hands of the DumpSec group, which offered it for sale on cybercrime forums, sharply raising the risk of identity theft and targeted phishing. Affected ARS launched individual patient notification campaigns (by SMS and email) and the matter remains under investigation.
Sources
- xcancel.comhttps://xcancel.com/_SaxX_/status/1980875468774474221
- hauts-de-france.ars.sante.frhttps://www.hauts-de-france.ars.sante.fr/cyberattaque-menee-contre-les-donnees-didentite-des-patients-des-hopitaux-publics-de-la-region
- solutions-numeriques.comhttps://www.solutions-numeriques.com/cyberattaque-sur-les-agences-regionales-de-sante-35-000-000-de-dossiers-patients-reapparaissent/
- cyberattaque.orghttps://www.cyberattaque.org/cyberattaque-hopitaux-et-aphp-ars/