Cegedim Santé

On March 3, 2026, Cegedim Santé confirmed that attackers had breached their MonLogicielMedical platform—a medical practice management system used by 3,800 French doctors. The breach was initially detected in October 2025, but the full scope only became clear months later. 15.8 million patient records were stolen in what became one of the largest healthcare data breaches in European history.

The breach exposed the most sensitive categories of medical data possible: HIV status, psychiatric diagnoses, sexual orientation, mental health conditions, and free-text physician notes. These aren't checkbox fields—they're the candid observations doctors make when they think no one else will ever read them.

The stolen data also included treatment histories, prescription records, and patient identifiers that can be cross-referenced with other databases to build complete profiles of individuals' medical lives.

15.8 million French citizens now have their most intimate health information in the hands of attackers. A patient who disclosed their HIV status to a trusted doctor now faces potential exposure of that information to employers, insurers, family members, or anyone willing to pay for the data.

Mental health patients face stigma and discrimination. Those with substance abuse histories face insurance denials. The data isn't just embarrassing—it's weaponizable. And unlike a credit card, you cannot change your medical history.

Cegedim is a major healthcare IT provider. They serve thousands of medical practices across France. They operate under GDPR—one of the world's strictest privacy frameworks. They had security controls. They had compliance certifications. They believed their platform was protecting patient data because they had checked all the regulatory boxes.

Cegedim didn't know that free-text physician notes—those informal observations doctors type into patient records—contained some of the most sensitive information in their entire database. They didn't know that 15.8 million records could be exfiltrated without triggering immediate detection. The breach went unnoticed for months.

They didn't have a real-time inventory of what sensitive data lived where. HIV status, psychiatric diagnoses, and sexual orientation scattered across millions of unstructured text fields, unclassified, unmonitored.

Under GDPR, Cegedim faces potential fines of up to 4% of annual global revenue. More immediately, they had to notify 15.8 million patients—and 3,800 medical practices—that their data was compromised. The French data protection authority (CNIL) launched an investigation.

But the hardest question: which patients need to know their HIV status was exposed? Which psychiatric diagnoses were in those records? Cegedim had to figure out what was in those physician notes—after the fact, at scale, under legal deadline.