Viamedis and Almerys, two operators responsible for managing third-party payments for supplementary health insurance, have notified the French data protection authority, the CNIL, of a cyberattack they suffered at the end of January. This data breach, including social security numbers, affects approximately 33 million individuals. It marks the largest cyberattack in France to date.
33 million insured French citizens are affected by a data breach. The compromised data includes the civil status, date of birth, social security number, health insurer’s name, and policy coverage for the insured and their family members.
According to the CNIL,
“Data such as banking information, medical records, healthcare reimbursements, postal addresses, phone numbers, or emails are not believed to be affected by the breach.”
We contacted one of the French insurers working with Viamedis, Malakoff Humanis, who confirmed the same.
A Cyberattack via Healthcare Professionals
The attack occurred after the theft of credentials and passwords of healthcare professionals. The alert was raised on February 1st by Viamedis, which detected the attack. It notified other third-party payment platforms.
A few days later, another company, Almerys, also announced that it had detected an intrusion. The other major third-party payment platforms have not announced any breaches and seem to be, so far, unaffected.
RELATED ARTICLE
A Large-Scale Attack
The two cyber-attacked service providers are heavyweights in the industry, accounting for just under 40 million social security-insured individuals between them, affiliated with around a hundred partner supplementary health insurers, and over 200,000 professional members.
33 million French people are affected. This makes this data breach one of the largest in France. For now, investigations are ongoing to determine how this theft could have occurred, how the credentials of professionals were compromised, and who the hackers are.
RELATED ARTICLE
Significant Risks
One thing is sure: the stolen data is extremely sensitive. The social security number, for example, is a unique and definitive identifier assigned to each French citizen. It is a crucial element in various administrative procedures and cannot be changed like a compromised password.
The leakage of social security numbers exposes victims to phishing and identity theft risks. According to the CNIL, it is indeed
“possible that the data may be combined with other information from previous data breaches.”
In other words, it would be possible to recreate a person’s identity and engage in criminal activities in their name or apply for consumer loans or other financial transactions.
RELATED ARTICLE
Not a Surprise
For Romain Aviolat, CISO of Kudelski Security, a division of the Kudelski Group, which provides services covering the entire spectrum of cybersecurity, this data theft is not a surprise.
“Well, am I surprised? Not at all. Is it new? No. Will there be more in the future? Yes, that’s for sure. France was hit hard by this attack, but the United States also suffered a lot the previous year. We also have major financial organizations, insurance companies, and investment funds that face the same issues. We need to be more responsive and invest our money better in protection systems, to be quicker in detection, prevention, and response. Cyberattacks are no longer a matter of hours, weeks, or months; they’re a matter of minutes. Our systems and the people who maintain them need to be much more responsive.”
