Health Data Hacked: 33 Million French People Could Be Affected
At the beginning of 2024, Viamedis and Almerys, two third-party payment management companies, were victims of intrusions into their computer systems. A leak potentially affecting more than 33 million people, exposing large amounts of health data. The National Commission on Informatics and Liberty (CNIL) and the National Agency for the Security of Information Systems (ANSSI) were notified.
What is a data breach?
A security violation characterized by the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, whether accidental or unlawful.
Source: CNIL
What data was exposed?
The compromised data includes civil status, date of birth, social security number, the name of the health insurer, and the guarantees of the contracts subscribed. However, the CNIL has announced that banking information, postal addresses, telephone numbers, or health reimbursements were not accessed fraudulently.
An intrusion on the platform was the origin of this data breach, not a ransomware attack. Indeed, hackers managed to access the computer systems of Viamedis and Almerys by impersonating the credentials and passwords of health professionals using their service. These attacks, which took place on January 29 and February 3, were reported five days apart by the two managers.
At a time when the debate is focused on the hosting of health data by Microsoft, the question of the security of this data could also be raised.
The CNIL, informed of these computer attacks as required by the General Data Protection Regulation (GDPR), has launched an investigation. The goal of this inquiry is to determine if the security measures implemented before the incident and in response to it were appropriate under the GDPR.
If the CNIL is not able to specify which insured individuals are affected by this data breach, it is however up to the complementary organizations using these providers to inform the affected persons.

What are the CNIL's recommendations?
Given the situation, the CNIL recommends that insured individuals exercise caution regarding solicitations about healthcare expense reimbursements, and regularly check the activities on their accounts. It will ensure that the insured are contacted "as soon as possible."
For its part, the Health Insurance had already published some examples of fraudulent SMS used to scam the insured.

An investigation was opened on February 9 by the Paris prosecutor's office for "offenses of breach of an automated data processing system, fraudulent collection of personal data, and receiving stolen goods."
This incident highlights the importance of cybersecurity in the healthcare sector. It is crucial that companies take all necessary measures to protect the sensitive data of their clients. It is also essential for healthcare professionals to be aware of the importance and sensitivity of the data they handle daily.
References:
- CNIL.fr - Data breach of two third-party payment operators: CNIL launches an investigation and reminds insured of the precautions to take
- Ameli - Beware of fraudulent calls, emails, and SMS
- Franceinfo - Cyberattack on Viamedis and Almerys mutuals: an investigation opened on the hacking of data of 33 million French people
[Cover photo: National Cancer Institute]
Support us by sharing the article: