Skip to content
RansomwareContained

YMED (SOONCARE): 253,000 patients exposed, 132 GB of medical data exfiltrated

On 6 April 2026, Bordeaux-based healthcare software publisher YMED, which runs the SOONCARE® appointment platform, was hit by an extortion attack claimed by the group XP95, which exfiltrated 132 GB of data covering 253,342 patients and over 431,000 medical files.

Victim
YMED (SOONCARE)
records
253.3K

On 6 April 2026, YMED — a Bordeaux-based health software publisher whose SOONCARE® platform handles online appointment booking and patient records for several French medical facilities — was hit by a data-extortion attack claimed by the cybercriminal group XP95. Because YMED is a third-party provider serving multiple clinics and hospitals, partner facilities including Clinique Bordeaux Nord Aquitaine and the Institut Bergonié cancer centre were directly affected.

The attackers claimed to have exfiltrated the entire patient database, totalling 132 GB of data spanning 253,342 patients and more than 431,000 medical files. XP95 demanded a ransom of roughly $20,000 in bitcoin in exchange for not publishing the stolen data.

The exposed data included:

  • Identity details: name, date of birth, postal address, email, phone number
  • Identity documents and insurance attestations
  • Medical reports and imaging files
  • Private messaging content and appointment histories

YMED suspended parts of the SOONCARE® platform to contain the incident and secure its infrastructure, took affected servers offline, and notified the French data-protection authority (CNIL) while filing a police complaint. The Institut Bergonié activated a crisis cell on 8 April, set up a dedicated hotline, and advised affected patients to change reused passwords and stay alert to phishing. At the time of disclosure, YMED reported no evidence of fraudulent use of the data, though unauthorised access to sensitive information was confirmed.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/ymed-sooncare-253-000-patients-exposes-132-go-de-donnees-medicales-exfiltres/
  2. france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/nouvelle-aquitaine/gironde/bordeaux/les-donnees-personnelles-et-medicales-de-250-000-personnes-ciblees-par-une-cyberattaque-d-ampleur-3331361.html
  3. bergonie.frhttps://www.bergonie.fr/mesures-attaque-prestataire/

Related incidents

RansomwareOngoing

Leak at Résidence du Parc (Champdeniers-Saint-Denis)

In December 2025, the EHPAD Résidence du Parc nursing home in Champdeniers-Saint-Denis (Deux-Sèvres, France), home to around 90 residents, was hit by a ransomware attack that encrypted files and dropped a $5 million ransom note; administrative data and possibly scanned ID documents were exposed.

Victim
Résidence du Parc (Champdeniers-Saint-Denis)
RansomwareOngoing

Leak at Haute-Comté intercommunal hospital centre

On 19 October 2025, the Centre Hospitalier Intercommunal de Haute-Comté in Pontarlier (France) was hit by a Cryptolocker ransomware attack that encrypted part of its data, forcing a full IT shutdown and a return to paper-based care; attackers demanded a 5 million euro ransom.

Victim
Haute-Comté intercommunal hospital centre