Skip to content
Data breachContained

Data leak at Weda

On 12 November 2025, French medical-software publisher Weda disclosed a cyberattack in which compromised practitioner credentials (stolen by infostealer malware) gave attackers unauthorized access to its patient-record platform, potentially exposing sensitive medical data for tens of thousands of healthcare professionals.

Victim
Weda

On 12 November 2025, Weda — a leading French publisher of cloud-based electronic health record (EHR) software used by general practitioners, specialists, midwives and health centres — disclosed a cyberattack against its patient-record platform. Late on 10 November, around 11:30 PM, Weda detected unusual activity on several user accounts indicating unauthorized access, and shut down its services as a precaution to prevent further data exfiltration.

Investigators traced the intrusion to compromised practitioner credentials rather than a breach of Weda's own infrastructure. Threat-intelligence firm Hudson Rock identified more than 55 Weda SaaS accounts whose logins had been harvested by infostealer malware running on users' workstations, allowing attackers to log in as legitimate healthcare professionals. Weda acknowledged that the malicious access "may have enabled partial data extraction," though the full scope of any leak was not formally confirmed at the time of disclosure.

The platform hosts highly sensitive information, and the data potentially at risk included:

  • Complete patient medical records and consultation histories
  • Examination and test results
  • Prescriptions
  • Billing data
  • Social Security (NIR) and identity information

Weda's platform serves tens of thousands of healthcare professionals (reports cited roughly 20,000–23,000 affected, and up to ~85,000 practitioners on the platform overall), exposing data linked to millions of patients. The outage forced medical practices to revert to paper for nearly a week, with a degraded-mode restart from 14 November. Weda took its services offline pending full security validation, reported the incident to authorities, and engaged external experts to investigate.

Sources

  1. lemagit.frhttps://www.lemagit.fr/actualites/366634311/Sante-lediteur-du-logiciel-medical-Weda-coupe-ses-services-par-precaution
  2. caducee.nethttps://www.caducee.net/actualite-medicale/16693/cyberattaque-weda-23-000-soignants-concernes.html
  3. syndicat-smg.frhttps://syndicat-smg.fr/cyberattaque-de-weda-et-fuites-de-donnees-medicales-la-mise-en-ligne-des
  4. avecsantena.frhttps://avecsantena.fr/cyberattaque-du-logiciel-weda-que-sest-il-passe-et-comment-reagir-pour-une-msp/

Related incidents

Data breachContained

Leak at Médecin Direct

MédecinDirect, the French teleconsultation platform (a Teladoc Health subsidiary), disclosed on 3 December 2025 a data breach detected on 28 November exposing the personal and health data of around 285,000 patients, with a threat actor claiming up to 323,069 records.

Victim
Médecin Direct
Data breachContained

Leak at Itelis

In November 2025, Itelis — a French optical health-care network linked to AXA — disclosed a breach exposing roughly 1.6 million beneficiaries' identity and optical-reimbursement data, including names, dates of birth and social security numbers.

Victim
Itelis
Data breachOngoing

Leak at Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie

A September 2025 cyberattack on regional health-identity platforms used by several French Regional Health Agencies (ARS) exposed patient identity data; an attacker claimed roughly 35 million patient records across 130+ public hospitals, later offered for sale by the DumpSec group.

Victim
Regional Health Agencies of Île-de-France, Auvergne, Rhône-Alpes, Hauts-de-France, Pays de la Loire and Normandie