Doc NEW: 2.1 million personal medical records from AP-HP (Paris hospitals)

[graycat]

We are proud to announce the compromise of 2.1 million patient records from AP-HP (the public hospital system of the Paris region).

This operation spanned four years and required access to dozens of different service and hospital accounts. As a result, the medical records date back to 2021 for the oldest and up to 2025 for the most recent.

By gaining access to physician and healthcare staff accounts across all hospitals in the region, we were able to scrape data from ORBIS, the internal patient record management tool, which contains all medical and social data. The patient information necessary for scraping was obtained through the accounting department's data.
Here are the types of data involved, per patient:

Identité / DMB / Social / Rééducation / Avis / Soins / Médicaments / RDV / Réanimation / Urgences adultes / Urgences pédiatrique / Imagerie / Prescriptions biologique / Résultat biologique / Périnatal / Anesthésie / PMSI MCO / PMSI SSR / PMSI actes / NGAP / PMSI PSY / PMSI SIM / CPOE / SIU

During the scraping process, the software was enhanced with additional features and interconnectivity. Therefore, some records may not contain all of these data points. We downloaded as much data as possible for each patient.

AH-HP can reach out to us privately. We will transfer all the data in our possession immediately. And then we will negotiate.

We would not like to have to publish the medical records of sick and innocent people, but we are not responsible for the poor security of their system. We are giving them 14 days to consider. After this deadline, the records will be published here for free, at a rate of 100,000 records per day, totaling 7 TB of data.

 

[testoio]

Thanks for sharing.

To better assess the credibility of this claim, can you clarify a few points:

• Can you provide non-sensitive samples (redacted) demonstrating the structure of the data (field names, timestamps, formats), without exposing personal data?
• Which specific AP-HP entities / hospitals were involved (ORBIS instance scope, single GHU vs regional)?
• Is this data coming from a single database export or multiple sources aggregated over time?
• How do you distinguish this dataset from the known 2020–2021 AP-HP COVID data breach already publicly documented?
• Are the records internally consistent (patient IDs, visit dates, medical acts) across years 2021–2025?

Clarifying these points would help differentiate a genuine breach from recycled or recomposed datasets.

 

[graycat]

Thanks for sharing.

To better assess the credibility of this claim, can you clarify a few points:

• Can you provide non-sensitive samples (redacted) demonstrating the structure of the data (field names, timestamps, formats), without exposing personal data?
• Which specific AP-HP entities / hospitals were involved (ORBIS instance scope, single GHU vs regional)?
• Is this data coming from a single database export or multiple sources aggregated over time?
• How do you distinguish this dataset from the known 2020–2021 AP-HP COVID data breach already publicly documented?
• Are the records internally consistent (patient IDs, visit dates, medical acts) across years 2021–2025?

Clarifying these points would help differentiate a genuine breach from recycled or recomposed datasets.

Hello,


These files were scraped from the ORBIS software, this is not a direct database export. The data was collected slowly over the years by mimicking near-normal usage to avoid detection and expulsion from the internal network. As a result, the variables and structure largely depend on my script.

AP-HP's deadline is in 13 days.

Here is the list of the main hospitals involved: Beaujon (BJN) ; Bicêtre (BCT) ; Cochin (COC) ; Necker (NEC) ; Pitié-Salpêtrière (PSL) ; Tenon (TEN) ; Henri-Mondor (HMD)

However, a patient only needs to have visited one of these hospitals once to gain access to their entire medical record, including records from other AP-HP hospitals not on this list.


This dataset is in no way related to the 2021 leak, which only concerned a server dedicated to COVID tests.


Here, all medical data comes from ORBIS, including each patient's medical records, distributed across different modules, services, and specialties. This means that medical records, doctors' notes, prescriptions, imaging, etc. are all included.


I can confirm that the data is fully consistent and very comprehensive, although total completeness for every patient is not guaranteed due to internal AP-HP issues (compatibility between services, feature additions, account permissions, bugs that may have caused downtime at certain periods).

 

[frenchguy.chomp]

I know France and big public administrations fairly well.


I'm a bit skeptical about the "AP-HP deadline". Without something concrete, they usually don't react.


How did you make AP-HP aware of this?

 

[frenchguy.chomp]

I've been following the thread and checking reactions from different people.


To be honest, this is starting to look very weak. Several community members are saying it feels recycled or unverifiable, and so far there's no concrete proof beyond claims.


No samples, no clear technical artifacts, no third-party confirmation — just long explanations.


At this point, it honestly looks fake or heavily exaggerated. If there was something real behind it, we would have seen at least something solid by now.