In a significant cybersecurity incident, nearly half of France's population had their data exposed in a large-scale cyber attack on the healthcare payment services Viamedis and Almerys.
This revelation comes from the National Commission on Informatics and Liberty (CNIL), which announced that both data breaches impacted 33 million people in the country.
The breach was initially reported by Viamedis on LinkedIn mentioning that the incident affected the company, beneficiaries and healthcare professionals. The company's website has since been unavailable.
The types of data compromised include names, birth dates, details of insurers, social security numbers, marital and civil status, and entitlements for third-party payments. Fortunately, banking information, email addresses, postal addresses, or telephone numbers were not exposed as Viamedis did not store such data on the compromised systems.
Viamedis is a key player in the healthcare sector, serving 20 million insured individuals across 84 healthcare organisations. However, the extent of the breach's impact on these insured individuals remains under investigation. CNIL has since confirmed the breach, highlighting its significant impact on 33 million people in France.
“This is the first time that there has been a violation of this magnitude [in France]",Yann Padova, a digital data protection lawyer and former secretary-general of CNIL, remarked on the unprecedented scale of this violation in France's history to Franceinfo, a French radio network.
The breach at Viamedis is believed to have occurred through a phishing attack targeting healthcare professionals, allowing hackers to gain access using stolen credentials. Almerys, on the other hand, has not detailed the method of compromise but acknowledged that a healthcare professional's portal might have been accessed.
Still, the breach's scale suggests a substantial impact, with a significant portion of the French population's data being compromised.
CNIL has highlighted the potential for phishing threats following the breach, with concerns that the stolen data could be used in conjunction with information from other breaches for phishing attacks or social engineering. The authority is working with both Viamedis and Almerys to ensure those affected are informed in compliance with the EU's General Data Protection Regulation (GDPR). This process, however, is expected to take some time due to the large number of individuals affected.
The breach, while not involving financial information, still poses a significant risk of phishing scams, social engineering, identity theft, and insurance fraud for those affected. CNIL has committed to ensuring that Viamedis and Almerys notify impacted individuals directly and individually, as mandated by GDPR, to mitigate the risks of falling victim to phishing schemes. Despite the lack of contact data compromise, CNIL warns of the potential for combining breached data with information from previous leaks. CNIL has also opened an investigation to determine whether either organisation is at fault.
Source: EM360
Image Credit: HM
