Qu'est-ce que la méthode TAQ ?

La méthode TAQ (Temps, Argent, Qualité) est notre approche propriétaire pour prioriser les cas d'usage IA. Chaque projet est évalué selon le temps libéré, les coûts réduits et l'amélioration de qualité obtenue.

Quelle est la différence entre Cohesium et une ESN classique ?

Cohesium est un atelier d'orfèvrerie digitale, pas une usine à code. Nous privilégions la qualité sur la quantité, avec transfert de compétences inclus et un accompagnement personnalisé de bout en bout.

Cegedim Data Breach: The Healthcare Supply‑Chain Cyber Risk That Can Cripple SMEs

On February 26, 2026, an investigation by France 2 exposed a major leak at Cegedim, a vendor of medical software. The anomaly was reportedly detected at the end of 2025 in MLM (Mon Logiciel Médical), used by roughly 3,800 doctors (about 1,500 of whom were affected by the incident). The published toll: approximately 15 million administrative records (identity, addresses, emails, phone numbers) and an estimated 164,000–169,000 people potentially exposed with sensitive data (free-form medical notes).

If you run an SME in healthcare (clinic, care center, lab, software vendor, insurer, or service provider), don’t fall into the trap of thinking “it happened to them, not us.” In healthcare, your cyber risk frequently equals the risk of the tools and partners you rely on.

The SME Opportunity

Incidents like this are brutal — but they force clarity. They compel you to tidy your software supply chain and your data governance. That clarity translates directly into defensive ROI: fewer outages, less operational stress, reduced legal exposure, and stronger leverage to change vendors when needed.

Map what actually flows: which patient data and administrative records move where, how they move, and who can access them. Many SMEs discover they retain data "out of habit" rather than necessity.
Audit your critical software: versions, dependencies, access modes, account management, and logging. The goal: identify blind spots before a journalist — or an attacker — does it for you.
Reduce vendor lock‑in: when a tool becomes a recurring single point of failure, the ability to switch (or to renegotiate) is a business advantage, not just an IT concern.

Vigilance Required

The Cegedim file contains several signals that should concern executives, not only CIOs.

Uneasy timeline: discovery late 2025, physicians contacted in early January 2026, public disclosure in late February. Such delays should trigger a simple question: what is our plan if a vendor stalls on communication?
Weak track record: Cegedim was targeted in 2023 (Clop) and fined in 2024 (CNIL fine of €800,000) for unauthorized processing of health data. Two incidents plus a sanction looks like a pattern, not an accident.
Unclear sensitive volume: of 15M records, only a fraction reportedly contained medical notes. For an SME, the critical question is precise: what data lives with us, what lives with the vendor, and what was actually leaked?
Critical dependency with no visibility: if your operations rely on a medical application, downtime, compromise, or loss of trust has immediate operational and reputational cost.

Compliance Perspective

This incident squarely concerns health data: it invokes the core of GDPR (special categories, Art. 9) and, where relevant, the Swiss nLPD. That creates an obligation for enhanced security measures (Art. 32 GDPR) and 72‑hour breach notifications when a violation occurs.

For SME customers, the practical issue is contractual and organizational: your contracts must include binding compliance clauses (security SLAs, audit rights, notification procedures, reversibility, and termination rights). Without a clear framework, liability becomes ambiguous — and potentially costly.

Finally, if data residency or hosting strategy is unclear, ask now. Depending on requirements, local hosting alternatives with EU/Swiss data residency exist (e.g., Infomaniak, OVHcloud, Exoscale).

Conclusion & Cohesium Support

The Cegedim breach underlines a simple rule: in healthcare, your attack surface includes your software supply chain. The right response is not panic — it’s control: know which data you handle, through which tools, and under what guarantees.

Instead of ad‑hoc fixes, Cohesium AI offers a pragmatic, craftsmanship approach: targeted GDPR/nLPD audits of your critical software and vendor contracts (mapping of sensitive data, risk assessment, compliance gaps); software supply‑chain resilience audits (vulnerable versions, SLAs, dependencies, alternative options); and, where needed, hosting recommendations toward trusted local operators (Infomaniak, OVHcloud, Exoscale) with strict data‑residency requirements. Typical engagement: a 2–3 day diagnostic, followed by a 6–12 month prioritized roadmap aligned to business impact.