Two third-party payment operators were recently breached, leaking the personal information of nearly half of France’s population.
What Happened
Two French third-party healthcare payment service providers, Viamedis and Almerys, were recently targeted in a massive data breach. It’s estimated that 33 million individuals may be affected, accounting for nearly half of France’s population. It’s recorded as the largest breach in France’s history.
Exposed data includes Social Security numbers, dates of birth, family members and marital status, and the names of family members.
According to the National Commission on Informatics and Liberty (CNIL), France’s regulatory body responsible for enacting data privacy law, no banking information, medical data, or contact information has been compromised.
The breach took place in January of this year, but the CNIL released its first report regarding the matter on February 7th.
Diving into the Details
Both Viamedis and Almerys help streamline the reimbursement and payment process in France’s complex insurance system.
Viamedis alone serves approximately 20 million insured individuals and works with 84 healthcare organizations that use its services.
According to the General Director, Christopher Cande, the attack on Viamedis was caused by a phishing incident against an employee. Once the email of the employee was successfully infiltrated, the attacker was able to access Viamedis’ IT network and system.
The company announced the data breach via LinkedIn, dating the news release to February 1st. The post stated that as soon as Viamedis became aware of the attack, the company disconnected its third-party payment management platform. Viamedis’ website remains down at this time.
Since then, Viamedis has stated they completed a cybersecurity investigation and are gradually re-opening their third-party payment platforms. Some, but not all, healthcare providers served by the company remain impacted.
Almerys announced their own attack just four days later on February 5th. Almerys has said they do not have the exact number of impacted individuals, nor have they provided what data was exfiltrated. Similar to Viamedis, Almerys works with a number of healthcare providers to assist with the payment and reimbursement process for France’s healthcare system.
The investigation begins
On February 7th, the CNIL announced the regulatory body was opening an investigation to determine if Viamedis and Almerys were appropriately prepared for the attack and if their response was adequate. This investigation is required by the General Data Protection Regulation (GDPR), the EU data privacy and security law that is generally regarded as the most stringent in the world.
With data from Almerys being partially incomplete, a CNIL spokesperson told the French newspaper Le Monde that the number of individuals impacted, 33 million, is an estimate. The amount will likely change as more information is discovered.
In the CNIL’s announcement, the organization shared they will work as quickly as possible to complete the investigation and determine if the companies could have prevented the data breach. The CNIL is unable to tell individuals if they are impacted.
The CNIL also shared that health insurance companies are responsible for directly and immediately informing customers. Many have already begun releasing notices to patients online and via mail.
While the CNIL investigates the situation, Almerys and Viamedis will also continue their own investigation, likely providing the public with more information in time.
A string of rumors
Many individuals have begun receiving notice from their health insurance providers, but some individuals are being misled by the media.
One service provider, Resopharma, said that some French media have falsely claimed that patients could check if their health insurance company was using Almerys and Viamedis.
While some insurance cards may include information about Viamedis and Almerys, many won’t, and individuals will unfortunately have to wait to receive notice. Potentially impacted customers should look for alerts and monitor their insurance company’s website to see if they have potentially been impacted.
What the Experts Said
The CNIL has limited information on the breach but does recommend individuals carefully monitor any requests they receive, especially if requests concern reimbursement of health care costs. The CNIL also recommends individuals keep an eye on banking and medical accounts for any suspicious activity.
The CNIL said, “Although contact data is not affected by the breach, it is possible that the breached data could be combined with other information from previous data breaches.”
In Viamedis’ most recent post on LinkedIn, the company shared, “After an in-depth analysis carried out by cybersecurity experts (CSIRT) in conjunction with the competent authorities and thanks to the mobilization of all Viamedis teams, we are gradually reopening our third-party payment management platform, under reinforced security conditions.”
Why It Matters
With such a massive amount of data leaked, it’s possible that hackers could combine this information with other information stolen from smaller breaches. While contact information was not exfiltrated, threat actors may be able to compile data and attempt to defraud policyholders or sell personal information.
Recent reports also show that the GDPR continues to crack down on companies. Between 2020 and 2021, fines for non-compliance increased sevenfold, resulting in approximately $1.25 billion in fines.
How Cloudticity Can Help
Cyberattackers are becoming increasingly sophisticated and massive breaches like this showcase the importance of a robust cybersecurity infrastructure.
Even while threats are increasingly challenging to prevent, healthcare organizations are still held to high regulatory standards to protect patient data. If Viamedis and Almerys are found partially responsible for the data breaches, they will likely face hefty financial and legal implications.
To best prevent or mitigate an attack, healthcare organizations need robust security systems. Cloudticity offers management and data protection for all major public clouds, including AWS, Azure, and GCP.
Cloudticity ensures infrastructure is tightly monitored and secured so that apps and data hosted on the cloud are compliant with major regulations including GDPR, HIPAA, NIST, and more.
As a HITRUST CSF certified solution, Cloudticity has been keeping patients and providers safe and compliant since 2011. And we’ve never had a breach.
Connect with Cloudticity for a free consultation today.