Leak of 500,000 medical files: justice orders the blocking of a site hosting the pirated file

Orange, SFR, Bouygues Telecom and Free are ordered to immediately block access to a site allowing access to data from leaked medical analysis laboratories.

The Paris court on Thursday ordered the four French internet service providers to immediately block a site that hosted a file containing sensitive data on nearly 500,000 people in France, after a major leak that affected analysis laboratories medical.

Seized in summary proceedings by the Commission informatique et libertés (Cnil), the judicial court ordered the operators Orange, SFR, Bouygues Telecom and Free to implement this blocking without delay and for a period limited to 18 months, according to the judgment of which the ‘AFP has taken notice. The free file hosting service targeted by the block had registered its domain name in July 2020 with an extension corresponding to the island of Guernsey. It is distributed by the American content accelerator Cloudflare, “Which left the Cnil’s requests unanswered”. The committee noted that a direct link to the contested file hosted on this service was made freely available on a discussion forum. The precise address of the file could not be effectively targeted, the blocking of the service was finally retained by the courts. “Putting this file online, containing a great deal of data relating to the identity and health of nearly 500,000 people, constitutes a serious and immediate violation of the rights of the persons concerned, in particular the right to respect for private life. “, considered the court.

28 laboratories involved

The publisher of software for healthcare establishments Dedalus France had indicated on Friday that it had identified among its customers 28 laboratories affected by this leak of medical data, revealed by the media earlier in the week. These laboratories were spread over 6 departments in the Brittany, Center-Val-de-Loire and Normandy regions.

AFP had observed that a file comprising 491,840 names, associated with contact details (postal address, telephone, e-mail) and a social security registration number, circulated freely on at least one forum referenced by engines of research. These names were sometimes accompanied by indications on the blood group, the attending physician or the mutual, or comments on the state of health (including a possible pregnancy), drug treatments or pathologies (in particular HIV).

Since then, piracy has been investigated by the National Information Systems Security Agency (Anssi), the Ministry of Solidarity and Health, in conjunction with the Cnil and the software publisher, and a judicial investigation entrusted to the cybercrime section of the Paris prosecutor’s office.