Half a million stolen French medical records, drowned in feeble excuses

A bitter pill best swallowed with eight gallons of swimming pool water


Something for the Weekend, Sir? Those files I promised you? Oh, I'm sorry, they accidentally got taken out with the recycling. A gull swooped down and snatched them out of my hands. They were lost in a tsunami. No, a forest fire. An earthquake. Actually, to tell the truth, my mum put them in the washing machine.

This is making me feel queasy. My health isn't in question*. I've simply missed another work deadline and inventing a plausible excuse that I haven't used recently is making my head spin. You'd think all that "the dog ate my homework" business would end when you left school but oh no, here I am still doing it a generation and a half later.

letters stuffed in a mailbox. Photo by SHutterstock

You want me to do WHAT in that prepaid envelope?

READ MORE

It's at times like these that I think back to tales my dad would regale us with about his schooldays. He had a classmate who would invent increasingly bizarre reasons for being excused from a lesson so he could bunk off and visit the nurse. Squeaking "I have an ow in my tummy" would never be enough for him: this lad would apparently announce to the teacher in a powerful voice "I've swallowed my ruler!" or "My shoulder's trapped in the desk!" or "I've impaled my hand/leg/head on my chair/compasses/Bunsen burner!"

When one lacks such chutzpah, inventing amusing little fibs to evade one's obligations wears one down. Thus one feels unwell. Being under house arrest for 11 months doesn't help one either.

So by no coincidence one, er, I have been testing another health and fitness app. Every morning, croaky voiced Americans grunt motivational quotes through their noses at me, and notifications pop up on my phone throughout the day nagging me to tell the app how many glasses of water I've drunk.

Apparently I can enjoy better health and more restful nights if I drink eight tumblers of water a day. Or eight litres. Or is it eight pints? It may as well be eight swimming pools' worth as far as I'm concerned. I'm unskilled at guessing volumes – an affliction that led to poor scores in physics tests at school – but it sounds like an awful lot of water to keep guzzling down.

Taking the guesswork out of the challenge, I've started drinking directly from a measuring jug. Also, since carrying the jug around all day for the occasional sip is inconvenient, I quaff all eight gallons or whatever it is in one go just before going to bed.

So much for the restful nights. I'm up every fucking half an hour for a piss.

This affliction is euphemistically known as "frequency." I'd go to the doctor and ask to be tested but there's no point. I've drunk so much water now, the testers down at the laboratory will simply confirm that my urine sample is 90 per cent Evian, 10 per cent tap.

Besides, getting tested down at the lab is a sure-fire way to get my personal details spewed across Turkish and Russian social media. Here in France, we've just experienced the country's biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn't even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it.

Up to 60 fields of personal data per patient are now blowing around in the internet winds. Full name, address, email, mobile phone number, date of birth, social security number, blood group, prescribing doctor, reason for consultation (such as "pregnancy", "brain tumour", "deaf", "HIV positive") and so on – it's all there, detailed across 491,840 lines of plain text.

Data journalism couldn't be easier, and indeed the newspaper hacks have been on the beat, contacting the doctors listed in the file and phoning up some of the patients on their mobile numbers to ask how they feel about the data breach. The doctors knew nothing about it, and of course the patients whose personal info had been stolen – including Hervé Morin, ex-Minister of Defence, as it turns out – hadn't the faintest idea.

According to an investigation by daily newspaper Libération, warning signs that something was afoot were first reported on 12 February in a blog by Damien Bancal at security outfit Zataz. Some dark web spivs began discussing in Turkish-language channels on Telegram about how to sell some medical records stolen from a French hospital. Some of them then tried independently to put the data on the market and got into an argument that spilled over into Russian-language channels.

One of them, it seems, got pissed off and decided to take revenge by posting an extract of the data publicly. This was rapidly spread around Telegram's other lesser spivlet channels and soon afterwards ended up being shared on conventional social media.

A closer look at the file reveals that it didn't come from a hospital after all. It turns out the various dates on the patient records refer not to doctors' appointments but to when patients had to submit a test specimen: in other words, the data is likely to have been stolen from French bio-medical laboratories conducting the specimen analysis.

Further probing by Libé revealed that the hack may relate to data stored using a system called Mega-Bus from Medasys, a company since absorbed into Dedalus France. Dating back to 2009, Mega-Bus hasn't been updated and laboratories have been abandoning it for other solutions over the last couple of years. No patient records entered into these newer systems can be found in the stolen file, only pre-upgrade stuff entered into Mega-Bus, apparently.

This has led to much conjecture as to when and where the breach might have taken place. Could it have been at that crucial, most vulnerable moment when unencrypted data was moved from the old system to a new one? So far, Dedalus and the laboratories are pleading ignorance and blaming each other, but that is understandable. It would be unfair to expect otherwise until Monsieur Plod's boffin brigade gets a chance to investigate.

NHS hosptial photo, by Marbury via Shutterstock

Campaigners demand judicial review of NHS deal with Peter Thiel's AI firm Palantir

READ MORE

Meanwhile, it's going to be tiresome for the patients whose comprehensive personal information has gone public. As they say, you can change a stolen password; you can change your mobile number; you could even change your doctor. But you can't so easily move house or change your name, social security number, medical history, lab test results or details of your prescription.

Certainly, the much-quoted myth that sharing medical records between big data operators is safe because the data is anonymised has once again been shown to be just that – utter bollocks.

Ah, that gives me an idea.

Please accept my apologies for running late. The files that are due today were unfortunately lost as the result of a cyber attack.

[thinks… inserts adjective]

…an unprecedented cyber attack.

[maybe another?]

…an unprecedented, sophisticated cyber attack.

There. Who wouldn't believe that?

Youtube Video

Alistair Dabbs
Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He has been invited to come up to the lab and see what's on the slab, and is now shivering with antici…pation. Should he see a doctor? More at Autosave is for Wimps and @alidabbs.

* No, I haven't posted my No.2 to the lab yet. It's No.2 on my to-do list.


Biting the hand that feeds IT © 1998–2021