French Hospitals Paralyzed: Ransomware and Lives at Risk
"Canceled surgeries. Redirected patients. Lives in danger. French hospitals have become prime targets for cybercriminals."
Table of Contents
- The Wave of Hospital Ransomware Attacks
- Anatomy of an Attack
- Consequences for Patients
- Why Hospitals Are Vulnerable
- What Authorities Are (or Aren't) Doing
- Stolen Health Data
- How to Protect Yourself
- FAQ
- Conclusion: Healthcare in Danger
- Sources
Since 2019, French hospitals have been enduring an unrelenting wave of ransomware cyberattacks. Rouen University Hospital, Corbeil-Essonnes, Rennes, Versailles... No region has been spared.
These attacks are not mere technical incidents. They paralyze entire departments, delay vital care, and expose the most intimate medical data of millions of patients.
The Wave of Hospital Ransomware Attacks
More than 30 major facilities paralyzed between 2019 and 2024 by cybercriminals.
Major Attacks (2019-2024)
| Hospital | Date | Duration of Disruption | Impact |
|---|---|---|---|
| Rouen University Hospital | Nov 2019 | Several weeks | Return to paper, patient transfers |
| AP-HP (Paris) | 2020-2021 | Variable | Multiple incidents |
| Corbeil-Essonnes Hospital | Aug 2022 | Months | Surgeries canceled, data published |
| Versailles Hospital | Dec 2022 | Weeks | Emergency services disrupted |
| Rennes University Hospital | June 2023 | Weeks | Degraded operations |
| Brest University Hospital | 2023 | Weeks | Systems paralyzed |
| Many others | 2019-2024 | Variable | Recurring incidents |
The Scale of the Problem
| Indicator | Figure |
|---|---|
| Healthcare facilities affected (2020-2024) | 30+ major |
| Incidents reported to ANSSI (2023) | 200+ in healthcare sector |
| Average cost per attack | 1-10 million EUR |
| Average disruption duration | 2-6 weeks |
Source: ANSSI, ARS, Parliamentary reports
Anatomy of an Attack
Intrusion, encryption, exfiltration, ransom: the relentless mechanics of a hospital ransomware attack.
How Ransomware Works
Stage 1: Intrusion
- Targeted phishing email
- Exploitation of a software vulnerability
- Access via a compromised contractor
Stage 2: Propagation
- Malware spreads through the network
- It maps the systems
- It identifies critical data
Stage 3: Exfiltration
- Sensitive data is copied
- Patient files, administrative data
- Preparation for blackmail
Stage 4: Encryption
- All files are encrypted
- Systems become inaccessible
- The hospital is paralyzed
Stage 5: Ransom
- Payment demand (in cryptocurrency)
- Threat to publish data
- Double extortion (encryption + disclosure)
The Corbeil-Essonnes Case (2022)
A textbook example:
| Element | Detail |
|---|---|
| Date | August 20, 2022 |
| Criminal group | LockBit |
| Ransom demanded | 10 million EUR (then 1 million) |
| Data stolen | 11 GB (patient and employee files) |
| Data published | Yes (after non-payment) |
| Disruption duration | Several months |
"We had to go back to paper and pencil. Doctors consulted patient files from memory or called other departments. It was chaos."
— Healthcare worker testimony
Source: Le Monde - Corbeil-Essonnes Cyberattack
Consequences for Patients
Delayed care, risky transfers, exposed data: the human cost of cyberattacks.
1. Delayed Care
When systems go down:
Immediate impacts:
- Test results inaccessible
- Medical history unavailable
- Electronic prescriptions impossible
- Surgery schedules lost
Concrete consequences:
- Surgeries postponed
- Treatments delayed
- Diagnoses deferred
- Dosage errors possible
2. Risky Transfers
Patients sometimes must be transferred to other facilities:
- Critical emergencies redirected
- Extended medical transport
- Neighboring hospitals overloaded
- Risk during transport
"A critical patient transferred urgently because our systems were down... The time lost in the transfer could have been fatal."
— Anonymous emergency physician
3. Exposed Data
Health data is the most sensitive:
| Data Type | Exposure Risk |
|---|---|
| Complete medical record | Conditions, treatments |
| Lab results | HIV, chronic diseases |
| Psychiatric data | Mental disorders |
| Gynecological data | Abortions, fertility |
| Financial data | Social situation |
Consequences:
- Employment discrimination
- Insurance discrimination
- Personal blackmail
- Social stigmatization
4. Have There Been Deaths?
This is the taboo question.
What we know:
- Documented care delays
- Urgent surgeries postponed
- Fragile patients affected
What's difficult to prove:
- Direct link between cyberattack and death
- Hospitals don't communicate on this subject
- No epidemiological studies published
"In Germany, a patient died in 2020 following a forced transfer due to a cyberattack. In France, officially, no cases. But who can be certain?"
— Digital health expert
Why Hospitals Are Vulnerable
Insufficient budgets, obsolete systems, valuable data: perfect targets for cybercriminals.
1. Chronic Underinvestment
Hospital IT budgets are dramatically insufficient:
| Indicator | Hospitals | Equivalent Private Sector |
|---|---|---|
| IT budget (% of total budget) | 1-2% | 5-10% |
| Cybersecurity budget | Minimal | 10-15% of IT budget |
| Dedicated security positions | 0-2 | Complete teams |
2. Obsolete Systems
Hospitals operate with aging systems:
- Windows XP still present
- Medical software not updated
- Unsecured connected medical equipment
- Non-segmented networks
3. 24/7 Operations
Hospitals cannot shut down for updates:
- Continuous service 24/7
- Inability to interrupt critical systems
- Updates postponed indefinitely
- No maintenance windows
4. Data Value
Health data is highly valued on the dark web:
| Data Type | Approximate Price |
|---|---|
| Complete medical record | 100-1000 EUR |
| Ameli data | 50-200 EUR |
| Prescriptions | Variable |
Hospitals are profitable targets.
5. Insufficient Training
Healthcare staff are not trained in cybersecurity:
- Priority on care, not IT
- Clicks on phishing emails
- Weak or shared passwords
- Uncontrolled USB drives
What Authorities Are (or Aren't) Doing
Announced plans, diluted budgets, insufficient results: the political response falls short.
Government Plans
Healthcare Cybersecurity Plan (2021):
- 350 million EUR announced
- ANSSI reinforcement
- Creation of Healthcare CERT
- Mandatory audits
SUN Program (Segur Digital):
- 2 billion EUR for healthcare digital
- Part allocated to security
- Interoperability and modernization
The Ground Reality
| Announcement | Reality |
|---|---|
| 350M EUR | Spread across many facilities, diluted |
| Mandatory audits | Not all completed |
| Training | Insufficient |
| Equipment | Renewal too slow |
Problems persist:
- Budgets still insufficient
- Priority on functionality
- Lack of qualified personnel
- Resistance to change
ANSSI and Healthcare CERT
ANSSI intervenes during attacks:
- Technical assistance
- Forensic analysis
- Recommendations
Healthcare CERT:
- Threat monitoring
- Facility alerts
- Response coordination
But these resources remain insufficient given the scale of attacks.
Stolen Health Data
Complete records, medical tests, intimate data: everything sells on the dark web.
What Has Leaked
During attacks, data has been exfiltrated and published:
Corbeil-Essonnes:
- Patient records published on the dark web
- Employee HR data
- Administrative documents
Other facilities:
- Lab results
- Prescriptions
- Medical correspondence
The Health Data Market
On the dark web, health data sells:
| Use | Potential Buyer |
|---|---|
| Insurance fraud | Criminals |
| Blackmail | Criminals |
| Identity theft for care | Criminals |
| Illegal marketing | Unscrupulous companies |
| Espionage | Competitors, states |
Risks for Patients
If your data has leaked:
Immediate risks:
- Targeted "health" phishing
- Identity theft with Health Insurance
- Blackmail over sensitive data
Long-term risks:
- Employment/insurance discrimination
- Revelation of conditions
- Psychological impact
How to Protect Yourself
Active monitoring, heightened vigilance, exercising your rights: your protection protocol.
If You're a Patient at an Attacked Hospital
1. Request confirmation
- The hospital must notify you if your data leaked
- Contact the DPO (Data Protection Officer)
2. Watch for scams
- Beware of "health" emails/SMS
- Check your reimbursements on ameli.fr
- Report any anomaly
3. Strengthen your security
- Unique password on Ameli
- 2FA if available
- Identity monitoring
Your Rights
Right to information:
- The hospital must inform you of the leak
- You must know which data is affected
Right to compensation:
- GDPR provides for compensation
- Class actions possible
File a complaint:
- CNIL for data breach
- Police for damages
FAQ
Do hospitals pay ransoms?
Officially no, per ANSSI recommendation. Paying doesn't guarantee data recovery and funds criminals. However, some facilities may have paid discreetly.
Is my medical data really on the dark web?
If you were a patient at an attacked hospital and data was published (as at Corbeil-Essonnes), yes, it's possible. The hospital is supposed to inform you.
Why attack hospitals?
Health data is highly valued. Hospitals are vulnerable (obsolete systems, low budgets). And critical operations potentially push them to pay.
Have there been deaths in France?
No directly linked death has been officially confirmed. However, care delays and risky transfers have been documented. The causal link is difficult to establish.
How can the situation improve?
- Significantly increased IT budgets
- System modernization
- Staff training
- Network segmentation
- Offline backups
- Regular testing
Conclusion: Healthcare in Danger
Cyberattacks on French hospitals are not isolated incidents. This is a systemic crisis putting lives in danger.
Key takeaways:
- 30+ major hospitals affected in 5 years
- Delayed care, canceled surgeries
- Medical data published on the dark web
- Underinvestment is the main cause
- Government plans are insufficient
French healthcare now also depends on hospital cybersecurity. And on this front, we are losing.
For the complete overview of cyberattacks in France: France, Digital Sieve.
Related Articles — Cybersecurity & Data Protection
- Telecom Operator Hacks: SFR, Free, Orange
- Personal Data Protection France Guide
- France Travail Hack: Employment Data Breach
- Viamedis Almerys Hack: Health Insurance Breach
- Linky: Fires, Outages, Enedis Security
Sources
- ANSSI - Healthcare cyberattack reports
- Le Monde - Corbeil-Essonnes Cyberattack
- Numerama - Hospital ransomware
- Parliamentary reports on healthcare cybersecurity
- Healthcare CERT - Alerts and recommendations
- ARS - Incident communications