Health Data Hacked: 33 Million French People Could Be Affected

Support an independent media ❤️

To continue to inform you, investigate, identify new solutions, and contribute to making digital more responsible...

Nousseu DOUONNousseu DOUON

Health Data Hacked: 33 Million French People Could Be Affected

At the beginning of 2024, Viamedis and Almerys, two third-party payment management companies, were victims of intrusions into their computer systems. A leak potentially affecting more than 33 million people, exposing large amounts of health data. The National Commission on Informatics and Liberty (CNIL) and the National Agency for the Security of Information Systems (ANSSI) were notified.

What is a data breach?

A security violation characterized by the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, whether accidental or unlawful.

Source: CNIL

What data was exposed?

The compromised data includes civil status, date of birth, social security number, the name of the health insurer, and the guarantees of the contracts subscribed. However, the CNIL has announced that banking information, postal addresses, telephone numbers, or health reimbursements were not accessed fraudulently.

An intrusion on the platform was the origin of this data breach, not a ransomware attack. Indeed, hackers managed to access the computer systems of Viamedis and Almerys by impersonating the credentials and passwords of health professionals using their service. These attacks, which took place on January 29 and February 3, were reported five days apart by the two managers.

At a time when the debate is focused on the hosting of health data by Microsoft, the question of the security of this data could also be raised.

The CNIL, informed of these computer attacks as required by the General Data Protection Regulation (GDPR), has launched an investigation. The goal of this inquiry is to determine if the security measures implemented before the incident and in response to it were appropriate under the GDPR.

If the CNIL is not able to specify which insured individuals are affected by this data breach, it is however up to the complementary organizations using these providers to inform the affected persons.

We inform you that healthcare professionals have been victims of identity theft.

This malicious act could have resulted in unauthorized access to your data via our third-party payment operator. The exposed personal data are limited and are as follows for you and your family: name, first name, date of birth, social security number, name of your health insurer, and your contract number.

Banking data, medical data, health reimbursements, postal addresses, phone numbers, and email addresses are not affected by this malicious act.

We have taken the necessary measures to stop these unauthorized accesses.

Your member area and your reimbursement requests are not impacted and are accessible.

You can use your Vitale card and your third-party payment card without any risk.

When processing your operations, our services may contact you to validate the request received.

We recommend you to be particularly vigilant about any solicitations you may receive in the coming weeks that might attempt to impersonate your identity or that of Apivia Macif Mutuelle.

You can contact us by email at incident.sante@apivia.fr if you wish for further details or advice regarding this incident.

We apologize for the inconvenience and want to assure you that Apivia Macif Mutuelle places the highest importance on the security and protection of personal data.
Message sent on 08/02/224 by Apivia, one of the mutual insurance companies affected by the data leak. Subject: "Information on the protection of your personal data"

What are the CNIL's recommendations?

Given the situation, the CNIL recommends that insured individuals exercise caution regarding solicitations about healthcare expense reimbursements, and regularly check the activities on their accounts. It will ensure that the insured are contacted "as soon as possible."

For its part, the Health Insurance had already published some examples of fraudulent SMS used to scam the insured.

Example of fraudulent SMS: Health Insurance: Your Vitale card is expiring, it must be updated immediately. Below: ...

An investigation was opened on February 9 by the Paris prosecutor's office for "offenses of breach of an automated data processing system, fraudulent collection of personal data, and receiving stolen goods."

This incident highlights the importance of cybersecurity in the healthcare sector. It is crucial that companies take all necessary measures to protect the sensitive data of their clients. It is also essential for healthcare professionals to be aware of the importance and sensitivity of the data they handle daily.

References:

[Cover photo: National Cancer Institute]

Support us by sharing the article: