On February 27, 2026, France24 reported that Cegedim Sante, a subsidiary of French healthcare technology group Cegedim, had suffered a breach affecting 15.8 million patient records. The disclosure came after a France 2 television broadcast the previous evening revealed the scale of the incident.
What Was Exposed
The breach affected Cegedim's MonLogicielMedical (MLM) platform, used by approximately 3,800 doctors in France. Of the 15.8 million administrative records compromised — containing names, dates of birth, addresses, phone numbers, and email addresses — approximately 165,000 files contained doctors' free-text clinical notes with highly sensitive medical information, including:
- HIV/AIDS status
- Psychiatric conditions and diagnoses
- Sexual orientation
- Mental health treatment details
According to The Register, approximately 1,500 practitioners were directly affected by the breach, representing roughly 40% of the MLM user base.
Timeline
Cegedim detected abnormal application request behaviour on doctor accounts in late 2025 and filed a criminal complaint with French authorities in October 2025. However, public disclosure did not occur until the France 2 broadcast on February 26, 2026. Cegedim issued an official statement on February 27, confirming the breach and stating that all affected physicians had been contacted in early January 2026.
Prior CNIL Enforcement
The breach is particularly significant because CNIL, the French data protection authority, had fined Cegedim Sante €800,000 on September 5, 2024 for processing health data without authorisation, including transmitting non-anonymised health data to customers. Inspections carried out by CNIL in 2021 had revealed these violations.
On February 13, 2026 — just two weeks before the breach became public — the Council of State confirmed all CNIL sanctions against Cegedim.
Context
This breach represents the largest known healthcare data exposure in EU history. Under GDPR Article 83, data controllers that fail to implement appropriate technical and organisational measures for health data face administrative fines of up to €20 million or 4% of global annual turnover. For organisations processing health data under NIS2 or subject to GDPR, this incident illustrates the compounding regulatory risk when data protection failures precede a breach.