1.4 million French people are affected by a leak of the results of their covid test. Steps may need to be taken to protect his personal and medical data.
The case was made public in mid-September: the Assistance publique-Hôpitaux de Paris (AP-HP) was the victim of a hacking, caused by a critical vulnerability in a software that it uses to deposit and exchange files between AP-HP members. Result of the races, the Covid-19 screening tests of 1.4 million French people were found in nature.
In this context, personal data, but also medical information were taken out: the identity of the patient tested, his social security number, his contact details (email address, telephone number, postal address), the type of test performed and its result. To make matters worse, the identity and contact details of the healthcare professional who performed the test were also leaked.
All those concerned have been contacted by the AP-HP to inform them of the situation, but also of what to do to avoid unpleasant surprises – and, if applicable, the correct behavior to follow. ” adopt if fraudulent use of his personal data is found. Several actions are available to victims.
Beware of phishing targeting you
The first thing to do is to be extremely careful with any mail, email, SMS or phone call that mentions this covid test or your state of health with regard to the coronavirus. Malicious people indeed exploit this type of leak to compose fraudulent messages, sometimes very credible, to push you to take specific actions.
These messages sometimes very well imitate real authentic services to fool the user. Thus, they could pretend to be Health Insurance and make believe that there will be a refund or compensation after this covid test. The fact that the social security number was pulled too can give the message a lot of weight and make it very compelling.
A good clue of doubtfulness may be the promise of some sort of gain or the threat that something will have to be settled very quickly or something done in a short period of time so that you don’t have to pay anything. Other clues, in particular alarmist messages about your state of health, may spark off. Ditto if the message is written in broken French.
In order not to run the slightest risk, and to escape these operations, called phishing attempts, it is recommended that you do not click on any link in this email and do not follow the instructions it contains. If you have any doubts, go through a search engine instead, go directly to the relevant website, and get in touch to check if everything is legitimate.
Watch over your personal data on the net
Beyond the phishings that will try to target you directly, you may come across your personal and medical data while visiting a site. Again, you have levers. The National Commission for Informatics and Liberties (Cnil) provides an online complaint tool, whether it is a classic site, a forum, a social network or a motor of research.
But before arriving at the stage of the complaint sent to the CNIL, you can try to contact the person in charge of the site to request the deletion of this data. Major platforms like Google, Facebook, YouTube, Twitter and Instagram have dedicated forms for reporting abuse. You may need to justify the request and explain that this exposes your privacy.
It should be noted that the CNIL provides a model of mail already pre-filled and which calls for European regulations through the GDPR. Warning: the letter template reminds that the site manager has a period of one month to react. If nothing happens very quickly, that doesn’t mean he doesn’t care about your concern. If things are dragging on too long, or nothing is happening, you can file a complaint.
Also note: if the site manager has a month to react, the process for deletion may also take time. While major social networks and large platforms should easily respond to your requests, small sites could give you a hard time. If contacting them doesn’t help, contacting their host directly is one lead.
File a complaint
If things take a serious turn, with a fraud attempt targeting you, you can file a complaint directly with the authorities. This is the advice just issued by the Cybermalveillance platform, which depends on the government, on September 23. It also offers an electronic complaint letter form to be sent to the police.
” A preliminary investigation carried out on the instructions of the Paris prosecutor’s office is opened to the cybercrime brigade of the regional directorate of the Paris judicial police […] for breaches of access and maintenance in an automated data processing system, fraudulent extraction of data and fraudulent collection of personal data », She recalls.
The advantage of this form is that it can be sent directly by e-mail to the address “complaint-befti at interieur.gouv.fr ”, or by post to the cybercrime brigade (DRPJ Paris – BL2C 2021 – 160 36 rue du Bastion 75017 Paris). You also have the possibility of going directly to a gendarmerie brigade or to a police station.
The public prosecutor of the judicial tribunal can also be contacted by mail, notes Cybermalveillance. The site also indicates, if necessary, the existence of the France Victimes association, reachable at 116 006 (free call and service). If you enter into these procedures, it is advisable to carefully keep all the evidence you have available, including screenshots.