33 Million French Citizens Hit by Healthcare Data Breach

Over 33 million individuals in France — nearly half the country’s population — have had their personal data exposed. This breach targeted Viamedis and Almerys, two prominent service providers in the French healthcare and insurance sectors. The French data protection authority, the National Commission on Informatics and Liberty (CNIL), confirmed the magnitude of this breach last month.

Viamedis and Almerys are known for facilitating healthcare transactions and managing sensitive data required for insurance reimbursements within France’s healthcare system. Viamedis, which serves 20 million individuals through the 84 healthcare organizations that use its services, disclosed the incident on its LinkedIn page.

The origins of the Viamedis breach have been attributed to a sophisticated phishing attack that exploited healthcare professionals’ login credentials. Almerys has been less forthcoming about the specifics of their breach, though they have stated that the attackers gained access through a portal used by healthcare providers.

The data exposed in these breaches includes names, birthdates, Social Security numbers, marital status, civil statuses, insurer details, and guarantees related to third-party payments. However, financial information, medical records, contact details, and other sensitive data were not compromised, mitigating the potential for financial fraud but not eliminating the risk of identity theft or insurance fraud.

CNIL has urged the affected individuals to remain vigilant for signs of fraud and to be cautious of phishing attempts. The authority highlighted that the exposed data, while not including contact information directly, could be combined with other information from previous breaches to facilitate fraudulent activities.

Both companies have filed complaints with the public prosecutor, and CNIL has launched an investigation to assess compliance with the EU’s General Data Protection Regulation (GDPR). This investigation aims to determine whether adequate security measures were in place and whether GDPR obligations were met.

The sensitivity of the data handled in the healthcare industry makes it a prime target for cybercriminals. This incident adds to a series of cyber attacks affecting the sector.

As the investigation continues, the affected individuals and the broader public are reminded of the ever-present need for vigilance and the importance of robust cybersecurity measures in protecting personal digital data.