UNSS and Cegedim Santé data leaks: how to regain control?
The news at the beginning of 2026 is marked by two major data breaches: the theft of 1.5 million photos of UNSS students and the intrusion at Cegedim Santé affecting 15 million patients. Faced with this “long-lasting” hemorrhage of data (health, identity of minors), RGPD compliance must evolve from simple administrative management to an active resilience system. For professionals, this means strict control of third party risks, the adoption of strong authentication (MFA) and a rigorous data purge policy.
Recent news has acted like an electric shock. Between the sale of 1.5 million photos of UNSS students and the massive intrusion into Cegedim Santé touching 15 million patients, the border between our digital life and our physical intimacy has evaporated. It is no longer a question of “if”, but of “when.” Deciphering a systemic crisis and the levers to deal with it.
The situation is frosty. On the specialized forums of Dark Web, the identity of a French child or the medical records of a patient are only worth a few cents. However, for victims, the price to pay is priceless: a permanent loss of control over data that cannot be changed, unlike a credit card code.
Analysis of the facts: an unprecedented hemorrhage of data
At the beginning of 2026, two earthquakes shook the French digital ecosystem:
The UNSS case: the privacy of minors at auction
An intrusion allowed the extraction of 65 GB of sensitive data, including precisely 1,557,000 student ID photos, from 6th to 12th grade. These photos, intended for sports licenses, are now in the hands of cybercriminals. Beyond theft, it is the risk ofimpersonation long-term and targeted cyberbullying that worries families.
Cegedim Santé: the medical sanctuary violated
The group DumpSec claimed the theft of 19 million lines of data concerning 15 million patients. Names, addresses, telephone numbers and, for some, medical information. This attack follows an already historic sanction by the CNIL towards the e-health player in 2024, illustrating the difficulty of securing such massive data flows.
Why are these targets preferred by cybercriminals?
Why attack a school sports federation or a medical software publisher? Because these databases contain unchangeable information. A password resets, but a birth date, care history, or a teen's face are permanent assets. In France, the average cost of a data breach now reaches 3.59 million euros per incident (source: IBM 2025), but the social cost is incalculable.
The strategic vision: moving from reaction to resilience
It's time to get out of the “Attack - Excuse - Patch” cycle. Security should no longer be seen as a technical cost, but as a reinforced obligation of means, as defined byArticle 32 of the RGPD.
Reflection note: Compliance is not an administrative checklist, it is the organization's immune system. A business that doesn't know its data flows is a business that has already lost the battle.
1. For professionals: anticipate in order not to suffer
- Control of third parties: as the Cegedim incident showed, the risk often comes from partner accesses. Mapping each entry point is crucial. On this subject, review our analysis on third-party risk management and GDPR compliance.
- Data purge: the UNSS had photos dating back several years. If the data no longer exists, it cannot be stolen. Enforce a strict automatic removal policy
- Strong authentication (MFA): It is the first rampart. No professional access should no longer be based on a simple username/password combination
2. For individuals: taking action after fleeing
- Increased phishing awareness: if you are a victim of the UNSS or Cegedim leak, expect extremely credible scam attempts using your real information (name of your child's school, name of your doctor)
- Identity surveillance: Use services like Have I Been Pwned to track email exposure
- Filing a complaint: It is a key step to protect yourself legally in the event of future identity theft
What to do when a data breach occurs
If your organization is affected, transparency is your only ally. The deadline for 72-hour notification to the CNIL is a legal minimum, but communication with those concerned must be humane, clear and proactive. Explain what was stolen, what wasn't stolen, and what concrete actions were taken.
Cybersecurity is a collective combat sport. By structuring your data governance — via management tools such as those offered by Adequacy — you're not only reducing risk, you're building trust, the most valuable asset in the digital economy.
FAQ on UNSS and Cegedim data leaks
What is the main risk of a UNSS data leak?
The major risk concerns long-term identity theft and cyber-bullying, as 1.5 million photos of underage students have been stolen.
How do I know if my Cegedim Santé data has been stolen?
The publisher has a legal obligation to notify each patient concerned if the data breach poses a high risk to their rights and freedoms.
What are the obligations of a DPO in the event of a massive cyberattack?
The DPO must orchestrate the notification to the CNIL within 72 hours, document the incident in the violation register and advise management on immediate remedial measures.
