In what has been described as the most significant cybersecurity breach in France, over 33 million individuals, or nearly half of the country’s population, have fallen victim to a major cyberattack targeting two medical insurance service providers. Viamedis and Almerys, the companies at the centre of the attack, have acknowledged the breach, revealing that the personal data of millions of people is at risk.
Yann Padova, a digital data protection specialist and former Secretary General of the French Data Protection Authority (CNIL), labelled the incident unprecedented, stating, “This is the first time there has been a breach on such a scale.”
The cyberattacks occurred five days apart at the beginning of February, affecting Viamedis and Almerys, both service providers for medical insurance companies. According to Viamedis, the hackers employed phishing techniques and utilised health professionals’ logins to access the system. On the other hand, Almerys reported that the hackers only gained access to a health professionals’ portal rather than its central system.
Both companies have filed complaints with the public prosecutor, and an ongoing investigation is attempting to trace the origins and motivations behind the cyberattacks.
The compromised data includes sensitive information such as “marital status, date of birth, social security number, the name of the health insurer, and the cover provided by the policy.” However, the CNIL reassured the public that “no bank details, medical data, postal address, telephone number, or email are involved.”
The consequences of this massive data breach extend beyond the potential compromise of personal information. The “tiers payant,” a payment system that allows patients to avoid paying the total cost of medical services upfront, may become temporarily unavailable for certain health professionals, though it remains accessible for patients.
The CNIL warned about phishing risks, emphasising the possibility of combining the newly leaked data with information from previous breaches. Users are urged to exercise caution and verify the authenticity of emails, texts, and calls claiming to be from official organisations.
In accordance with GDPR regulations, the health insurance companies of the affected people will get in touch with them to provide individual notifications about the security incident. The CNIL recommends that affected individuals remain vigilant and take the necessary precautions to safeguard their personal information in the aftermath of this unprecedented cyberattack.