Hackers leaked patient information stolen from the Centre Hospitalier Sud Francilien (CHSF) in France after the hospital refused to pay a $1 million ransom. (Photo courtesy of CHSF)

Data from French hospital that refused to pay ransom leaked to dark web

October 03, 2022
by John R. Fischer, Senior Reporter
Hackers who infiltrated and stole data from a French hospital in August have now released personal patient records on the dark web in response to the institution’s refusal to pay the group’s $1 million ransom.

The 1,000-bed Centre Hospitalier Sud Francilien (CHSF) in Corbeil-Essonnes, near Paris, shut down its emergency services and transferred many patients to other hospital facilities after finding that the Lockbit ransomware group stole social security numbers, medical scans, lab reports and other health data via a ransomware strain known as Lockbit 3.0.

Under French law, public institutions are banned from paying ransoms. The group demanded $10 million (over €10 million) for the return of the data. It later downgraded the ransom to $1 million (over €1 million) and postponed the ultimatum deadline, but the hospital still refused to pay, according to French outlet, Le Parisien.

"Even if they ask for 150,000 euros, we will not pay. That is the rule that has been established," said Medhy Zeghouf, president of the board of CHSF.

In response, the group published 12 gigabytes of patient and staff data the weekend of September 23 on the dark web, a part of the internet that requires special software to access.

Health minister François Braun condemned the leak in a tweet, saying that Paris would "not give in to these criminals."

The hospital transferred 13 infants in intensive care “as a precaution,” and saw its emergency care intake drop by more than half, with one patient unable to undergo surgery because of disruptions to imaging data. At one point, its phone was the only system still functioning, reported The Local.

The hospital said the attack was limited to virtual servers that hold one-tenth of its data. An ongoing investigation by the French National Agency for Information Systems Security and two cybersecurity companies confirmed that business databases, including personalized patient files and human resources management files, were not compromised.

The event, according to Braun, led the French government in late August to invest an additional €20 million (over $19 million) on hospital security.

Following the leak, the hospital restricted access to its systems and warned patients to be extra careful when receiving emails, text messages or calls.