Skip to content
Data breachContained

Leak at Hôpital privé de la Loire

A cyberattack on Hôpital privé de la Loire (Ramsay Santé) in Saint-Étienne, France exposed personal data of up to 530,000 patients, including identity details, social-security numbers (NIR), ID documents and consultation records, after a hacker used stolen physician credentials.

Victim
Hôpital privé de la Loire

On 21 June 2025, Hôpital privé de la Loire — a private hospital in Saint-Étienne operated by the Ramsay Santé group — was reported to have suffered a major patient-data breach. The intrusion took place between 26 June and 1 July 2025, when an attacker using the alias "Marak" reused a doctor's stolen credentials to access the hospital's information system and exfiltrate a large volume of patient records.

Early estimates put the breach at around 126,000 patients, but Ramsay Santé and security researchers later confirmed a much larger scope of up to 530,000 patients — described by researchers as one of the largest medical data leaks ever recorded in France. The attacker gave the hospital a 72-hour deadline to make contact via Telegram and demanded a ransom; no ransomware encryption was deployed and patient care was not disrupted.

Exposed data categories included:

  • Last name, first name, date of birth and gender
  • Postal address and phone number
  • Social-security number (NIR) and insurance details
  • Around 45,000 identity documents (ID cards, passports, residence permits)
  • Administrative documents and consultation summaries

The hospital said the affected data was essentially administrative in nature and that its care operations were unaffected. It applied corrective measures, filed a criminal complaint (handed to the Paris cybercrime prosecutor / OFAC), and notified the CNIL, the Regional Health Agency (ARS) and CERT Santé, while preparing to warn affected patients of identity-theft risks.

Sources

  1. xcancel.comhttps://xcancel.com/_SaxX_/status/1940667859467645379
  2. presse.ramsaygds.frhttps://presse.ramsaygds.fr/communique/226121/Usurpation-d-identite-vol-de-donnees-sur-systeme-d-information-de-l-Hopital-Ramsay-de-Loire-42?cm=1
  3. next.inkhttps://next.ink/brief_article/les-donnees-de-126-000-a-530-000-patients-dun-hopital-prive-de-saint-etienne-derobees/
  4. francebleu.frhttps://www.francebleu.fr/infos/faits-divers-justice/l-hopital-prive-de-la-loire-informe-ses-usagers-apres-un-piratage-informatique-3947435

Related incidents

Data breachContained

Leak at Médecin Direct

MédecinDirect, the French teleconsultation platform (a Teladoc Health subsidiary), disclosed on 3 December 2025 a data breach detected on 28 November exposing the personal and health data of around 285,000 patients, with a threat actor claiming up to 323,069 records.

Victim
Médecin Direct
Data breachContained

Leak at Itelis

In November 2025, Itelis — a French optical health-care network linked to AXA — disclosed a breach exposing roughly 1.6 million beneficiaries' identity and optical-reimbursement data, including names, dates of birth and social security numbers.

Victim
Itelis
Data breachContained

Data leak at Weda

On 12 November 2025, French medical-software publisher Weda disclosed a cyberattack in which compromised practitioner credentials (stolen by infostealer malware) gave attackers unauthorized access to its patient-record platform, potentially exposing sensitive medical data for tens of thousands of healthcare professionals.

Victim
Weda
Data breachOngoing

Leak at Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie

A September 2025 cyberattack on regional health-identity platforms used by several French Regional Health Agencies (ARS) exposed patient identity data; an attacker claimed roughly 35 million patient records across 130+ public hospitals, later offered for sale by the DumpSec group.

Victim
Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie