Skip to content
Data breachContained

CARMF: 2.4 million doctor records leaked after a cyberattack

In May 2026, an actor using the alias lazasec claimed to have breached CARMF, France's pension and benefits fund for self-employed doctors, leaking a database of up to 2.4 million records with names, contributor codes, postal addresses and last-declaration dates; CARMF said the exposed data was public and non-sensitive.

Victim
CARMF

On 12 May 2026, CARMF — the Caisse Autonome de Retraite des Médecins de France, the mandatory pension and benefits fund for self-employed physicians in France — was named in a cybercriminal forum post by an actor using the alias lazasec, who claimed to have compromised CARMF's systems and exfiltrated a database of nearly 2.4 million records relating to French doctors and contributors.

The attacker published a sample to support the claim. The exact intrusion vector has not been confirmed publicly, and the full authenticity of the leaked database remains unverified. The sample exposed administrative and declarative fields rather than clinical or financial records:

  • First and last names
  • Contributor (cotisant) codes
  • Postal code and city
  • Date of last declaration

CARMF disclosed the security incident itself the following day, on 13 May 2026, via its newsletter, describing the leak as "limited" and characterising the affected information as public and non-sensitive. The fund reported that roughly 70,000 affiliates were concerned, a figure substantially lower than the 2.4 million records advertised by the attacker.

While the exposed fields are not medical records, the leak of physician identity and contact details raises the risk of targeted phishing and social-engineering attacks against doctors and the wider French healthcare sector. The incident appears contained, but the origin of the compromise had not been publicly established at the time of reporting.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/carmf-24-millions-denregistrements-de-medecins-en-fuite-apres-une-cyberattaque/
  2. lequotidiendumedecin.frhttps://www.lequotidiendumedecin.fr/liberal-soins-de-ville/retraite/cyberattaque-la-carmf-des-donnees-publiques-et-non-sensibles-ciblees-rassure-la-caisse

Related incidents

Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA — a French real-estate tokenization and fractional-investment fintech — up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K