Skip to content
Supply chainContained

Leak at Inovie Labosud

On 23 September 2025, French medical-lab group Inovie Labosud disclosed a breach exposing administrative and medical data of an estimated 3.2 million patients after attackers used a third-party provider's stolen credentials.

Victim
Inovie Labosud
records
3.2M

On 23 September 2025, Inovie Labosud — a major medical-analysis laboratory group based in southern France — disclosed that attackers had gained unauthorized access to patient personal data. A police source cited in French media estimated that around 3.2 million patients were affected, including roughly one million whose records contained medical information on pathologies, treatments or medical documents.

The intrusion was traced back to 31 August 2025, when the laboratory detected abnormal server saturation and the execution of scripts connecting to its network. The attackers gained entry using compromised credentials (username and password) belonging to one of the group's external service providers — a relatively simple foothold that allowed lateral access across the network.

The exposed data fell into two categories:

  • Administrative data: identity, contact details, social security and supplementary health-insurance (mutuelle) information
  • Medical data: information relating to the characteristics of laboratory tests performed

According to the company, no passwords or banking data were affected. Inovie Labosud said it took immediate measures to block the unauthorized access and contain the breach, notified the CNIL, ARS Occitanie and ANSSI, and filed a criminal complaint to open a judicial investigation. Patients were warned to stay alert for phishing attempts that could exploit the leaked information.

Sources

  1. usine-digitale.frhttps://www.usine-digitale.fr/article/des-donnees-medicales-exposees-apres-un-incident-de-securite-chez-inovie-labosud.N2238514
  2. zataz.comhttps://www.zataz.com/cyberattack-at-inovie-labosud-medical-data-compromised/
  3. next.inkhttps://next.ink/brief_article/fuite-de-donnees-aux-laboratoires-danalyses-inovie-labosud-apres-une-cyber-attaque/
  4. france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/occitanie/herault/montpellier/ces-donnees-vont-etre-vendues-le-laboratoire-d-analyses-medicales-inovie-labosud-pirate-les-consequences-de-l-attaque-decryptees-3223055.html

Related incidents

Supply chainContained

Leak at APRS (via Itelis)

APRS members were exposed in the November 2025 breach of Itelis, AXA's third-party optical-care platform, after an attacker posed as a partner optician; leaked data included names, dates of birth, social security numbers, optical reimbursement records and vision-correction details.

Victim
APRS