YMED (SOONCARE): 253,000 patients exposed, 132 GB of medical data exfiltrated
On 6 April 2026, Bordeaux-based healthcare software publisher YMED, which runs the SOONCARE® appointment platform, was hit by an extortion attack claimed by the group XP95, which exfiltrated 132 GB of data covering 253,342 patients and over 431,000 medical files.
- Victim
- YMED (SOONCARE)
- records
- 253.3K
On 6 April 2026, YMED — a Bordeaux-based health software publisher whose SOONCARE® platform handles online appointment booking and patient records for several French medical facilities — was hit by a data-extortion attack claimed by the cybercriminal group XP95. Because YMED is a third-party provider serving multiple clinics and hospitals, partner facilities including Clinique Bordeaux Nord Aquitaine and the Institut Bergonié cancer centre were directly affected.
The attackers claimed to have exfiltrated the entire patient database, totalling 132 GB of data spanning 253,342 patients and more than 431,000 medical files. XP95 demanded a ransom of roughly $20,000 in bitcoin in exchange for not publishing the stolen data.
The exposed data included:
- Identity details: name, date of birth, postal address, email, phone number
- Identity documents and insurance attestations
- Medical reports and imaging files
- Private messaging content and appointment histories
YMED suspended parts of the SOONCARE® platform to contain the incident and secure its infrastructure, took affected servers offline, and notified the French data-protection authority (CNIL) while filing a police complaint. The Institut Bergonié activated a crisis cell on 8 April, set up a dedicated hotline, and advised affected patients to change reused passwords and stay alert to phishing. At the time of disclosure, YMED reported no evidence of fraudulent use of the data, though unauthorised access to sensitive information was confirmed.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/ymed-sooncare-253-000-patients-exposes-132-go-de-donnees-medicales-exfiltres/
- france3-regions.franceinfo.frhttps://france3-regions.franceinfo.fr/nouvelle-aquitaine/gironde/bordeaux/les-donnees-personnelles-et-medicales-de-250-000-personnes-ciblees-par-une-cyberattaque-d-ampleur-3331361.html
- bergonie.frhttps://www.bergonie.fr/mesures-attaque-prestataire/