Skip to content
Support
Sign In Subscribe
Data Breaches

Hacker Claims to Sell 533GB of French and European Healthcare Data and Access

 and  Dark Web Informer
9 min read
Breach Report France flagFrance / EU Healthcare

Hacker Claims to Sell 533GB of French and European Healthcare Data and Access

A threat actor using the alias Zab26 is advertising for sale what they describe as a 533 GB "full-stack" healthcare dataset spanning French and European health systems. The listing claims 1.16 million files, including over 534,000 protected-health-information documents, 479,877 Social Security numbers, more than 115 million database rows, source code, private keys and TLS certificates, and, most alarmingly, claimed live access to health systems, including a query interface to France's DMP (Dossier Medical Partage) shared medical-record platform, Kubernetes clusters, Slack, and mail. The claim is unverified.

Data533 GB / 115M rows
PriceFor sale
CountryFrance flagFrance / EU
ActorZab26

Post details

TargetFrench / European healthcare systems (multiple)
CountryFrance flagFrance / EU
SectorHealthcare
ClaimHealthcare data + live access for sale
Data533 GB, 1.16M files, 115M+ rows
ObservedJun 9, 2026
PriceFor sale (full only, PoF required)
ActorZab26

!Allegedly exposed

  • 533 GB / 1.16M files (claimed)
  • 115M+ database rows
  • 534,697 PHI / medical documents
  • 479,877 Social Security numbers
  • Patient & health-record identifiers
  • Credentials, tokens & password data
  • Private keys & TLS certificates
  • Claimed live system & DMP access

Screenshot

France European healthcare alleged data breach Screenshot 1 Screenshot 1 Redacted preview

Potential impact

If even partly genuine, this would be one of the most serious healthcare exposures imaginable: hundreds of thousands of medical and identity documents, nearly 480,000 Social Security numbers, consultation and vaccination records, and over 115 million rows of personal data tied to French and European health systems. The seller also claims live operational access, including a query path to France's national DMP medical-record platform, plus Kubernetes clusters, mail, and Slack, which, if real, would mean an active, ongoing compromise rather than a static leak. The presence of private keys and TLS certificates raises the risk of impersonation and deeper intrusion. These claims are extraordinary and entirely unverified, and sweeping "everything" listings are sometimes exaggerated or stitched together from multiple sources.

iStatus

Unverified

The dataset and access are advertised for sale on an underground forum, with samples gated behind a password and contact via XMPP or the forum; the sample data, credentials, contact identifiers, and any specific system details are not reproduced here. Given the extraordinary scope, the claim warrants particular caution. It has not been independently confirmed, and no affected organisation has publicly addressed it.

Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots. Check out the threat feed or ransomware feed (whichever applies to this post), then after subscribing, search there for this alert to view the unredacted version. View pricing →

DARK WEB INFORMER - THREAT INTELLIGENCE

Related

Latest