Skip to content
Data breachUnknown

Leak at Pulsy

Patient data managed by Pulsy, the regional e-health operator (GRADeS) for France's Grand Est region, was reported leaked on 13 May 2025, exposing identity details, contacts and sensitive health information including care pathways and hospitalisation records.

Victim
Pulsy

On 13 May 2025, Pulsy — the Groupement Régional d'Appui au Développement de la e-santé (GRADeS) that operates digital health services for France's Grand Est region — was reported as the source of a leak of patient data. Pulsy runs shared regional platforms used by hospitals, care providers and professionals across the region, making any compromise of its systems a sensitive health-data exposure.

The leaked dataset reportedly combined civil-identity and contact information with sensitive medical data, including details of patients' care pathways and the dates and locations of their hospitalisations.

Exposed data categories reportedly included:

  • Last name, first name and gender
  • Date and place (commune) of birth
  • Postal address, phone number and email
  • Medical data and care-pathway information
  • Dates and locations of hospitalisations

The precise scale of the incident (number of affected patients) and the attack vector have not been confirmed by an authoritative public source, and Pulsy's formal response and the current status of the incident remain unclear. This record is grounded in the originally imported breach summary; details should be treated as provisional pending confirmation from the operator, the regional health authority (ARS Grand Est) or the CNIL.

Sources

  1. bonjourlafuite.eu.orghttps://bonjourlafuite.eu.org/#Pulsy-2025-05-13

Related incidents

Data breachContained

Leak at Médecin Direct

MédecinDirect, the French teleconsultation platform (a Teladoc Health subsidiary), disclosed on 3 December 2025 a data breach detected on 28 November exposing the personal and health data of around 285,000 patients, with a threat actor claiming up to 323,069 records.

Victim
Médecin Direct
Data breachContained

Leak at Itelis

In November 2025, Itelis — a French optical health-care network linked to AXA — disclosed a breach exposing roughly 1.6 million beneficiaries' identity and optical-reimbursement data, including names, dates of birth and social security numbers.

Victim
Itelis
Data breachContained

Data leak at Weda

On 12 November 2025, French medical-software publisher Weda disclosed a cyberattack in which compromised practitioner credentials (stolen by infostealer malware) gave attackers unauthorized access to its patient-record platform, potentially exposing sensitive medical data for tens of thousands of healthcare professionals.

Victim
Weda
Data breachOngoing

Leak at Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie

A September 2025 cyberattack on regional health-identity platforms used by several French Regional Health Agencies (ARS) exposed patient identity data; an attacker claimed roughly 35 million patient records across 130+ public hospitals, later offered for sale by the DumpSec group.

Victim
Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie