The silent war on French Hospital: how to understand the rise of the cyberattacks?

During the night of 8–9 February 2021, cybercriminals broke into the information system of the Dax hospital in France. They remotely took control of the network and launched a ransomware attack. Within a few hours, thousands of confidential medical files were locked and rendered inaccessible. This topic is deeply personal to me: my mother is a nurse and had to manage the aftermath of a cyberattack at the hospital where she worked.

The consequences were immediate: operations had to be cancelled, and in the most serious cases, patients were transferred to other hospitals capable of treating them, sometimes accompanied by their own doctors, powerless in front of the situation. Inside the hospital, chaos rapidly spread only paper and pens were still usable, and many digital medical tools were out of service. Other healthcare institutions had to lend equipment. The malware was removed five days later, for a total estimated cost of 2.3 million euros.

This was not the first attack of this kind in France, and it will not be the last. Similar cases

occurred in Cannes, Villefranche-sur-Saône, and even Versailles. French hospitals have become a recurring target for cybercriminals. This raises serious concerns for the national healthcare system and for the general public, who may begin to lose trust in the security of their own medical institutions.

As a growing phenomenon, it is intertwined with broader geopolitical and technological issues, and the French state has proposed a range of solutions. In a context where war is once again at the gates of the European Union, cybersecurity has

returned to the forefront of national priorities. It is therefore legitimate to ask whether our

systems are prepared for large-scale cyberattacks.

Ransomware: How are the attacks affecting the French hospitals?

First of all, we have to define what ransomware is. It is a malicious program that blocks access to stored computer data, which can only be unlocked in exchange for money. This payment is usually demanded in cryptocurrency in order to reduce traceability.

According to ANSSI, the French national agency for information system security, the healthcare sector is one of the most targeted sectors by ransomware attacks in France. Several dozen healthcare institutions were affected between 2020 and 2022. French hospitals are particularly vulnerable for several reasons. First, many hospitals rely on

outdated information systems. In addition, hospitals have many entry points, such as staff

computers, medical devices, or external contractors. The budget of French hospitals is widely debated in French politics because of chronic underfunding, which makes cybersecurity budgets in public hospitals often limited. Finally, medical data is extremely valuable to hackers because it is personal, permanent, and highly sensitive. This combination of weaknesses makes French public hospitals particularly attractive targets for cybercriminals.

These attacks have a direct impact on hospitals and significantly affect patient safety.

Emergency services may be partially or fully shut down. Doctors can lose access to essential patient medical records, which may lead to errors in treatment. Surgeries are postponed or, in the worst cases, cancelled. Sensitive medical data can be stolen and leaked, and in some cases patient data has been found on the dark web following attacks on French hospitals. Finally, medical staff face extreme stress and organizational disruption.

A clear example illustrating these consequences is the case of the Dax hospital discussed in the introduction. Its information system was completely shut down, forcing staff to return to paper-based procedures. Surgeries were cancelled or transferred to other institutions in the following days, at an estimated cost of 2.3 million euros. Dax is not an isolated case: similar attacks later affected hospitals in Versailles and Cannes.

Who are the actors?

Most attacks against French hospitals are attributed to organized cybercriminal groups,

according to ENISA, the European Union agency dedicated to strengthening cybersecurity in Europe. Groups such as Conti or LockBit have targeted healthcare institutions across Europe. These groups often operate from Eastern Europe.

Some cyberattacks against French critical infrastructure have been officially attributed to

Russian state-linked groups. However, no cyberattack against a French hospital has been

publicly and officially attributed to Russia, even though pro-Russian hacktivist groups have

targeted healthcare institutions in other European countries. This highlights the difficulty of

attribution in cyberspace.

Let us now focus on the LockBit group. Formed in 2019, this group is responsible for more than 1,700 cyberattacks, mainly targeting large companies such as Thales, Continental, or TSMC. The most targeted countries include the United States, France, Germany, and the United Kingdom. In France, the group has targeted several hospitals and medical centres, such as the hospital of Corbeil-Essonnes in 2020, the Elsan group in January 2023, or the SDIS Loiret (firefighters) in November 2023.

LockBit is a Russian-speaking group that avoids targeting Russian interests or former Soviet

republics. Members of the group have been arrested by law enforcement agencies worldwide, including recently in Canada. In 2024, the UK National Crime Agency, the FBI, and Europol announced sanctions against the group’s leader, Dmitry Khoroshev, and declared the group dismantled.

However, this effort has not been entirely successful. In April 2024, the group was behind a

major cyberattack against the hospital of Cannes, similar to the one in Dax. This demonstrates that the group remains active and capable of targeting major institutions.

Why attacking the hospitals?

There are several reasons why hackers target hospitals:

1. Financial motivations: hospitals are more likely to pay quickly to restore their systems, as every minute counts. This makes them particularly vulnerable to pressure.

2. Double extortion, where data is encrypted and attackers threaten to leak personal information.

3. Creating Panic: Cyberattacks against hospitals can also represent strategic pressure on a country’s population by creating panic.

4. Opportunistic target, as medical records are among the most expensive types of data on the dark web, according to INTERPOL.

Implication for national security

Attacks on hospitals have serious consequences for French national security. According to

ANSSI and a French Senate report on cybersecurity published in 2021, modern societies rely heavily on information systems, including French society.

Attacking hospitals means attacking civilian infrastructure. Civil society is affected by new forms of warfare, and states may struggle to respond effectively. These attacks represent a form of information infrastructure warfare. Beyond technical damage, they raise ethical and human concerns and may directly endanger lives.

To address this lack of security, France has launched programs aimed at improving hospital

cybersecurity, including national cyber maturity plans.

The remaining question is therefore: can a healthcare system truly protect patients if its digital infrastructure remains vulnerable?

These attacks represent a new form of warfare: cyberwar, which can be just as destructive as conventional warfare. This threat is long-term and requires sustained attention from states. To strengthen healthcare institutions, governments may need to train more cybersecurity professionals and invest in stronger digital infrastructure. Long-term investment will be essential to ensure resilience.

Bibliography:

Agence nationale de la sécurité des systèmes d’information (ANSSI). (2024, November 7).

Secteur de la santé - État de la menace informatique (CERTFR-CTI-010). Available at:

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2024-CTI-010.pdf (last seen: 17.12.2025)

Assemblée nationale. (2025). Rapport fait au nom de la commission spéciale chargée d’examiner le projet de loi relatif à la résilience des infrastructures critiques et au renforcement de la cybersécurité (n° 1112). Available at: https://www.assemblee-

nationale.fr/dyn/opendata/RAPPANR5L17B1779-tI.html (last seen: 17.12.2025)

European Union Agency for Cybersecurity (ENISA). (2023, July 5). Health threat landscape: Cyber threats and trends in the healthcare sector. Publications Office of the European Union. Available at: https://www.enisa.europa.eu/publications/health-threat-landscape (last seen: 17.12.2025)

Le Monde. (2021, February 15). Available at: https://www.lemonde.fr/pixels/article/2021/02/15/apres-celui-de-dax-l-hopital-de-villefranche-paralyse-par-un-rancongiciel_6070049_4408996.html (last seen: 17.12.2025)

What’s up doc. (2024, May 6). Cyberattaque au centre hospitalier de Dax : un chaos de plusieurs mois, mais des leçons à en tirer. Available at: Cyberattaque au centre hospitalier de Dax : un chaos de plusieurs mois, mais des leçons à en tirer (last seen: 17.12.2025)

Wikipedia Contributors. (2025). LockBit. In Wikipedia, The Free Encyclopedia. Retrieved

December 16, 2025, Available at: https://en.wikipedia.org/wiki/LockBit (last seen: 17.12.2025)

L’usine digitale. (2024, May 4). Cyberattaque à l’hôpital de Cannes : les hackers de LockBit

publient 61 gigaoctets de données. Available at: https://www.usine-digitale.fr/article/cyberattaque-a-l-hopital-de-cannes-les-hackers-de-lockbit-publient-61-gigaoctets-de-donnees.N2212620 (last seen: 17.12.2025)

About the author: ETIENNE César is a PPE student from Université Catholique de Lille (France). His academic interests include politics and geopolitics, and he is particularly interested in issues related to strategic communications and media.