Skip to content
Data breachResolved

Leak at MDPH 92

In early March 2026, MDPH 92 — the Hauts-de-Seine disability services agency — accidentally exposed around 500 beneficiaries' email addresses by sending a mass post-cyberattack notice with recipients in CC instead of BCC.

Victim
MDPH 92
records
500

On 2 March 2026, the MDPH 92 — the Maison Départementale des Personnes Handicapées (departmental disability rights agency) for Hauts-de-Seine — accidentally exposed roughly 500 of its beneficiaries' email addresses in a single mass mailing.

While trying to inform users that its services were resuming after the major ransomware-style cyberattack that had paralysed the Hauts-de-Seine department in May 2025, the agency sent a collective email with all recipients placed in the visible "CC" field rather than the blind "BCC" field. As a result, every recipient could see the full list of the other addressees.

  • Email addresses of approximately 500 MDPH beneficiaries

The leak was the result of human error rather than a malicious intrusion, but it is sensitive because it discloses a list of people in contact with a disability services agency — a vulnerable population. Observers warned of a heightened risk of spam and targeted phishing exploiting the recipients' known relationship with the MDPH. The incident is a one-off disclosure that has already occurred; coverage emphasised the need for better procedures and staff awareness rather than blaming the individual who sent the message.

Sources

  1. lesmotsontunsens.comhttps://www.lesmotsontunsens.com/mdph-92-le-mail-post-cyberattaque-qui-lache-500-adresses-email-en-clair/
  2. zataz.comhttps://www.zataz.com/parents-en-detresse-apres-la-cyberattaque-de-la-mdph-92/

Related incidents