Keep your medical context in your hands after the French health data breach.

Cegedim Sante exposed 15.8 million files, and Medoucine exposed 813,866 patient records. Patient-held records, selective disclosure, and revocable access preserve care continuity without another centralized medical-data honeypot.

Explore the patient-held model No credit card required

See how revocable sharing works

Why this matters

CORE PROMISE

The French health breach cluster did not just leak names and administrative rows - Slide 1

The French health breach cluster did not just leak names and administrative rows

What It Does · Core Promise · What changed

The French health breach cluster did not just leak names and administrative rows. It leaked the clinical context that tells other people how your life works.

Cegedim Sante exposed 15.8 million files, and Medoucine exposed 813,866 patient records tied to centralized storage and free-text collection.

The Cegedim Sante incident included doctor notes with sensitive annotations, not just generic contact fields.
The Medoucine incident shows how comment boxes quietly collect intimate narrative detail that becomes breach material later.
A patient-held record map should distinguish identity data, care history, notes, family context, and disclosure events so the person can act in order.
Clarity is the first layer of recovery because patients cannot protect what they cannot inspect.

If a platform leaks my notes, it leaks the meaning around my care, not just a database row.

Reconstruct a patient-owned ledger of records, annotations, consent events, and provider shares before creating any new workflows.

TARGET AUDIENCE

The primary stakeholder is the patient whose care story escaped the clinic context - Slide 1

The primary stakeholder is the patient whose care story escaped the clinic context

Who It Serves · Target Audience · Who is affected

The primary stakeholder is the patient whose care story escaped the clinic context. Doctors, wellness practitioners, and caregivers matter, but they matter after the patient's agency is restored.

The exposed population spans ordinary patients, high-profile public figures, and households mentioned inside notes and form narratives.

Patients face the direct privacy shock because notes can reveal diagnosis clues, life circumstances, and social vulnerability.
Doctors need usable context, yet they also inherit trust damage when vendor tools store more than the encounter requires.
Holistic practitioners and patients on Medoucine are a second segment because free-text intake created a different but related exposure path.
Caregivers and family members are implicated when their names and relationships appear inside notes.

I never agreed to become a permanent case file inside every software tool that touched my care.

Design the page around patient agency first, then show how clinicians and partners benefit when sharing becomes narrower and easier to audit.

ACCESS POINTS

Care coordination should happen through patient-directed channels, not through giant vendor warehouses that quietly keep - Slide 1

Care coordination should happen through patient-directed channels, not through giant vendor warehouses that quietly keep

Where To Find It · Access Points · Where control happens

Care coordination should happen through patient-directed channels, not through giant vendor warehouses that quietly keep every attachment and narrative forever.

One patient-held channel can replace repeated uploads, repeated form fields, and repeated over-disclosure across clinics, specialists, and wellness providers.

Patients should be able to send a scoped share link, a time-bound export, or a visit-specific summary instead of a permanent full copy.
Doctors and practitioners get the information they need faster because the channel already packages it for the visit context.
The channel should preserve provenance so receivers know what came from the patient and when it was last updated.
No new intermediary should accumulate the full record once the exchange is complete.

I want to send what this appointment needs, not upload my whole history again.

Move from platform inboxes and comment boxes to patient-generated summaries, scoped links, and expiring access tokens.

Explore More

USER EXPERIENCE

Trust does not come back because a breached platform sends an apology

How It Works · User Experience · How trust returns

Trust does not come back because a breached platform sends an apology. It comes back when every disclosure has a purpose, a recipient, an expiry, and a visible receipt.

A signed consent trail turns hidden downstream copying into inspectable events that patients can challenge or end.

Patients need a live log of who accessed what, under which purpose, and for how long.
Clinicians need a simpler way to request and verify permission without wrapping everything into terms of service.
Revocation should be a normal patient action, not a crisis-only move after another breach.
Auditability also protects honest providers by clarifying which copy was authorized and which copy was not.

VALUE & PRICING

Centralized overcollection looks efficient until exposed records start carrying stigma, legal exposure, support costs, a

What It Costs · Value & Pricing · What the breach really costs

Centralized overcollection looks efficient until exposed records start carrying stigma, legal exposure, support costs, and repeated patient distrust across the care system.

The visible breach count is 16.6 million-plus files and records across the cluster, but the hidden cost is every repeated explanation, re-consent step, and trust repair burden that follows.

Patients pay in anxiety, defensive behavior, and lost willingness to share honestly during care intake.
Providers pay in reputational drag and remediation time even when the storage architecture came from a vendor.
Regulators and prosecutors pay in investigative overhead because records moved through systems nobody could fully inspect.
The patient-held model changes the cost curve by reducing how much sensitive context is copied into each system in the first place.

ASSETS & CAPABILITIES

The essential resource is not another institutional dashboard

Proof & Evidence · Assets & Capabilities · What must be owned

The essential resource is not another institutional dashboard. It is the patient-held canonical record that travels with provenance, consent history, and the right amount of context.

One portable record package can replace repeated uploads, repeated note re-entry, and repeated vendor copies across the care journey.

The record should include medical facts, administrative essentials, care preferences, and a history of what was shared where.
Provenance matters because clinicians need to trust the source and freshness of the information they receive.
Structured summaries should sit beside private personal notes so reflection can stay local while care facts remain usable.
Portability matters most during transitions between providers, specialties, and support networks.

OPERATIONS & TIMING

The winning activity set is not endless accumulation

How It Performs · Operations & Timing · What the system must do

The winning activity set is not endless accumulation. It is a disciplined loop: collect less, structure well, share narrowly, prove consent, and close access when the purpose ends.

Four core activities define the safer model: patient-led structuring, scoped sharing, live audit logging, and clean revocation after use.

Structured intake should replace narrative dumping wherever possible while still leaving room for patient-chosen nuance.
Scoped sharing should package context for a visit, a referral, or a therapy relationship without exposing the full historical archive.
Audit logging should be live and patient-visible instead of buried in vendor compliance systems.
Revocation should be normal, fast, and technically enforceable.

ECOSYSTEM & ALLIES

A patient-held model only works if clinics, software vendors, wellness providers, auditors, and regulators can all accep

Partners · Ecosystem & Allies · Who has to cooperate

A patient-held model only works if clinics, software vendors, wellness providers, auditors, and regulators can all accept the same proof of permission and provenance.

The partner set spans doctors, holistic practitioners, health software vendors, prosecutors, and regulators because every one of them touches record movement or accountability.

Doctors and clinics need lightweight ways to request and verify patient-provided context.
Holistic and wellness platforms need safer alternatives to open comment fields that still preserve useful intake.
Software vendors need to support narrow imports, expiries, and patient-originated provenance rather than copy everything forever.
Regulators and investigators need clearer standards for what a lawful, inspectable sharing trail looks like.

INVESTMENT & READINESS

Changing the architecture sounds heavy until you compare it with another cycle of leaked notes, emergency notices, patie

Positioning · Investment & Readiness · What it takes to switch

Changing the architecture sounds heavy until you compare it with another cycle of leaked notes, emergency notices, patient distrust, and duplicated remediation.

The cost of structured intake, patient-held records, and revocable sharing is lower than repeating breach-scale exposure across millions of records.

Migration requires schema work, intake redesign, provider training, and narrower retention defaults.
Those costs are finite and operational, unlike the open-ended cost of repeated confidentiality failure.
Patients also pay less in retelling, mistrust, and defensive omission when the architecture no longer invites silent overcollection.
The strategic position is simple: fewer centralized copies, more patient-directed continuity.

The French health breach cluster did not just leak names and administrative rows

The French health breach cluster did not just leak names and administrative rows

Business Model Perspective

Marketing Perspective

Strategic Questions

The primary stakeholder is the patient whose care story escaped the clinic context

The primary stakeholder is the patient whose care story escaped the clinic context

Business Model Perspective

Marketing Perspective

Strategic Questions

Care coordination should happen through patient-directed channels, not through giant vendor warehouses that quietly keep

Care coordination should happen through patient-directed channels, not through giant vendor warehouses that quietly keep

Business Model Perspective

Marketing Perspective

Strategic Questions

Explore More

Trust does not come back because a breached platform sends an apology

Trust does not come back because a breached platform sends an apology

Business Model Perspective

Marketing Perspective

Strategic Questions

Centralized overcollection looks efficient until exposed records start carrying stigma, legal exposure, support costs, a

Centralized overcollection looks efficient until exposed records start carrying stigma, legal exposure, support costs, a

Business Model Perspective

Marketing Perspective

Strategic Questions

The essential resource is not another institutional dashboard

The essential resource is not another institutional dashboard

Business Model Perspective

Marketing Perspective

Strategic Questions

The winning activity set is not endless accumulation

The winning activity set is not endless accumulation

Business Model Perspective

Marketing Perspective

Strategic Questions

A patient-held model only works if clinics, software vendors, wellness providers, auditors, and regulators can all accep

A patient-held model only works if clinics, software vendors, wellness providers, auditors, and regulators can all accep

Business Model Perspective

Marketing Perspective

Strategic Questions

Changing the architecture sounds heavy until you compare it with another cycle of leaked notes, emergency notices, patie

Changing the architecture sounds heavy until you compare it with another cycle of leaked notes, emergency notices, patie

Business Model Perspective

Marketing Perspective

Strategic Questions