Half of France’s Data Swiped in Viamedis and Almerys Cyber Attack

Nearly half the population of France has had their data exposed in a large-scale cyber attack impacting the healthcare payment services Viamedis and Almerys. 

That’s according to the National Commission on Informatics and Liberty (CNIL), which revealed last week that data belonging to more than 33 million people was stolen during the breach, including customers’ medical data and their family’s personal information.

Viamedis first disclosed the cybersecurity incident several weeks ago on LinkedIn (the company's website remains offline ), stating that it suffered a data breach impacting beneficiaries and healthcare professionals. 

The healthcare firm said the breach includes names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment.

No banking information, email addresses, postal details, or phone numbers were exposed during the hack – as Viamedis wasn’t storing this type of data on the systems breached by hackers.

The company serves 20 million insured individuals through the 84 healthcare organizations that use its services, but it opted not to disclose how many of them were impacted by the incident, saying that this is under investigation.

CNIL, however, has now confirmed both data breaches and says that the attacks impacted 33 million people in the country.

"This is the first time that there has been a violation of this magnitude [in France]," Yann Padova, digital data protection lawyer and former secretary general of the CNIL told French radio network Franceinfo. Padova believes the breach is the largest in France's history.

"These operators, who manage the third-party payment for supplementary health insurance, saw the data necessary for their missions compromised during this breach. In total, this data leak concerns more than 33 million people."

Viamedis and Almerys Breached

According to reports, Viamedis was compromised through a phishing attack that targeted healthcare professionals, with the hackers using credentials stolen from these professionals to gain access to its internal systems.

Almerys is yet to disclose how its compromise occurred, but it's likely the hack was of a similar nature. The company said that the hackers had not breached its central system but admitted that may have accessed a portal used by healthcare professionals.

Still, the number of Almerys customers impacted by the breach is huge. And If the numbers are correct, this makes the incident one of the biggest and most impactful cyber attacks in the country's history, with over half of its citizens' data stolen. 

Phishing chaos looming

CNIL said that it's working with Viamedis and Almerys to ensure those affected are informed – as is required under the EU's General Data Protection Regulation – but it'll likely take some time to get the word out to nearly half the country.

In the meantime, French officials are warning that the stolen data could be combined with data from other breaches to be used in phishing attacks or social engineering schemes. CNIL has also opened an investigation, the privacy watchdog said, to determine whether either organization is at fault for the breach.

While the exposed data does not include financial info, the data stolen is still enough to raise the risk of phishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals.

CNIL has assured that it will make sure Viamedis and Almerys inform impacted persons directly and individually, as required by the General Data Protection Regulation (GDPR), to protect customers from falling for phishing scams following the attack. 

"Although contact data was not affected by the breach, it is possible that the data involved in the breach could be combined with other information from previous data leaks," CNIL warned.