A massive security breach has been confirmed with almost one in two French citizens affected, involving two service providers for medical insurance companies.
This article was written by Graeme Hanna and originally published by ReadWrite.
The third-party payment portals involved were Viamedis and Almerys, due to the former experiencing a sophisticated phishing attack that compromised its systems late last month. Almerys did not elaborate on the cause of its loss, but it is thought to be a similar incident.
The French Data Protection Authority (NCIL) detailed the full incident, with around 33 million customers’ data stolen. The leaked data includes personal information such as birth dates, marital status, social security numbers, and insurance details. NCIL moved to allay further fears by stating no banking credentials, medical data, or contact numbers were lost but the scale of the cyber attack is clear.
Yann Padova, a digital data protection lawyer and former secretary general at CNIL commented on the seriousness of the data breach, “This is the first time that there has been a violation of this magnitude (in France),” further adding it was suspected to be the biggest ever leak of its kind, in France.
Investigation underway
The attackers used credentials stolen from healthcare professionals, in a targeted raid, to access the systems at the two companies.
CNIL is now working with Viamedis and Almerys to contact all those impacted, as bound by the European Union’s General Data Protection Regulation. However, given the sheer number of customers involved it will take some time to complete the task.
As a result of this attack, the “tiers payant” system in which patients do not need to contribute the full cost of medical services in advance may be unavailable for providers for some time, but users will still have access.
The French data authority has sent out a renewed warning, to be wary of phishing attacks, given the volume of compromised data now in the wrong hands whilst a full investigation is underwater to ascertain exactly how the massive breach happened and if Viamedis or Almerys are culpable.
