Major French lab chain hit by cyberattack; patients warned their personal and medical data may be exposed

A major network of medical testing labs in France says hackers gained unauthorized access to patient data, information that could include names, emails, encrypted passwords, and in some cases lab results and France’s equivalent of a Social Security number.

The company, Cerballiance, says it serves about 28 million patients a year across more than 600 locations in France and its overseas territories. Now patients are being urged to slow down, verify any alert through official channels, and lock down accounts before scammers weaponize the breach for identity theft and targeted phishing.

What happened, and what data may be at risk

Cerballiance has acknowledged an “unauthorized access” incident involving patient information. The exact data exposed varies by person, according to the company’s communications, but may include civil status details (name and other identifying info), login identifiers (email and an encrypted password), and sometimes medical test reports.

In some cases, the potentially exposed data also includes a French national ID number used for health coverage and benefits, similar in sensitivity to a U.S. Social Security number because it can help scammers convincingly impersonate official agencies.

How to tell if you’re affected (without getting phished)

The clearest sign is a direct notice from Cerballiance by email or text message. Some patients reported receiving a message along the lines of “unauthorized access to some of your data”, the kind of wording that normally screams scam, except Cerballiance has indicated these alerts can be legitimate in this specific case.

Cerballiance has said affected people will be contacted, and that not hearing from the company means, based on its public messaging, you likely weren’t in the impacted group.

If you’re unsure, don’t click links in any message. Use official contact channels instead: the company’s toll-free number is 0800 95 27 27 (available weekdays 10 a.m.–12 p.m. and 2 p.m.–4 p.m. local time), and the email address is info-rgpd@cerballiance.fr.

When you reach out, have a few non-sensitive details ready, your name, date of birth, and which lab location you visited, to help them locate your file. Don’t share passwords, one-time codes sent by text, or any banking information.

Change your passwords, starting with your email

The fastest step you can take is to change passwords, especially if you’ve reused the same one on other sites. Cerballiance has suggested the password data involved was encrypted, which can reduce some risks, but it doesn’t eliminate them, particularly if criminals use your email address to try logging into other services or to launch convincing password-reset scams.

Start with any Cerballiance patient portal account, then immediately secure your email account, because email is the master key that can reset passwords everywhere else. Use a long, unique password (a 4-to-6-word passphrase works well) and turn on two-factor authentication wherever it’s available.

Security pros also warn against pasting new passwords into an unprotected notes app or document. A reputable password manager is safer, and many services will also alert you when a new device signs in, warnings you should take seriously right now.

Expect “health” phishing that feels personal

When health or government-style identifiers leak, the biggest immediate danger is targeted phishing: texts, emails, or calls that sound credible because they include real details about you, your lab, or recent tests.

A common play is a text claiming you have a “refund pending” or a lab report you need to view, with a link. Don’t tap it. If you need to check anything, use the official app or type the organization’s web address yourself.

Another frequent tactic is a phone call from someone posing as a health insurer or benefits office, asking you to “confirm” your ID number or address. Hang up and call back using a number you looked up independently. Scammers rely on urgency; breaking the rhythm takes away their advantage.

One complication: legitimate breach alerts can look like scams. Treat every message as suspicious, then verify through Cerballiance’s official phone number or email, without clicking through.

What Americans should know about France’s regulators and your rights

Cerballiance says it reported the incident to France’s privacy watchdog, the CNIL, roughly comparable to a national data protection regulator, though the U.S. doesn’t have a single federal equivalent with the same broad authority. The company also said a complaint has been filed with authorities.

Under Europe’s GDPR privacy law, companies can face steep penalties, up to €20 million (about $22 million) or 4% of global annual revenue, depending on the case. Individuals also have rights to request information about what data was involved and how it was handled, and they can file complaints with the CNIL if they believe the response falls short.

Cerballiance has also pointed to a third-party hosting provider as part of the incident, an increasingly common weak point in health care, where sensitive data often passes through multiple vendors. The bigger question for patients now: whether the company’s security is improving as fast as the threats are.

What to do right now

Verify any notice through Cerballiance’s official channels (0800 95 27 27 or info-rgpd@cerballiance.fr) and avoid links in texts or emails. Change passwords, especially your email, and enable two-factor authentication. Then stay alert for health-themed phishing attempts designed to exploit fear and familiarity.