The data of more than 33 million people was compromised during cyberattacks targeting the operators Viamedis and Almerys, which manage third-party payments for complementary health insurance, the National Commission for Information Technology and Liberties announced on Wednesday February 7. (CNIL).
“The data concerned are, for policyholders and their families, marital status, date of birth and Social Security number, the name of the health insurer as well as the guarantees of the contract subscribed”specified in a press release the policeman of private life in digital matters, adding that banking, medical information and which concern health reimbursements “would not be affected”.
For French people affected, it is recommended to “be careful about the requests that[ils peuvent] receive, in particular if they concern reimbursements of health costs”but also “to periodically check the activities and movements on [leurs] different accounts ». It is in fact “possible that the data that was the subject of the breach is coupled with other information from previous data leaks”explains the CNIL.
The latter will “conduct investigations very quickly” to verify whether the security measures of these operators were in compliance with their obligations, also calls on each of the complementary parties using Viamedis or Almerys to inform “individually and directly” all of their policyholders affected by this data breach. She says she’ll make sure it gets done ” as soon as possible “.
The attack was carried out by the usurpation of health professionals’ identifiers and passwords. Almerys and Viamedis have not published any information to understand whether the attacks were simply intended to steal data, or whether they could have other goals such as planting ransomware.
The alert was given on 1er FEBRUARY. Viamedis, which filed a complaint with the public prosecutor, indicated that it had disconnected its management platform upon discovery of the intrusion, which did not prevent social security policy holders from benefiting from third-party payment. . Its general director, Christophe Candé, explained that it was not a ransomware attack but an intrusion into the platform. “A healthcare professional’s account was phished”he then revealed.
Almerys said on Wednesday that its central information system was not affected by the cyberattack. Only sound “portal dedicated to healthcare professionals” was affected and closed, the company claimed.
The other major third-party payment platforms do not appear to have been affected, according to information collected by Agence France-Presse from SP Santé (subsidiary of Cegedim) and Actil (subsidiary of Apicil), among others.