Data breaches at two French healthcare payment service providers, Viamedis and Almerys, have now been determined to impact over 33 million people in the country.
Viamedis and Almerys provide healthcare and insurance services in France with technological and administrative solutions to facilitate transactions.
They manage the sensitive data of policyholders required for granting reimbursements and generally streamline the payment process in France’s complex, multi-layered insurance coverage system.
Viamedis first disclosed the cybersecurity incident one week ago on LinkedIn (the company’s website remains down), saying that it suffered a data breach impacting beneficiaries and healthcare professionals.
The company said the exposure includes names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment.
No banking information, email addresses, postal details, or telephone numbers were exposed, as Viamedis said it does not store this type of data on the breached systems.
The company serves 20 million insured individuals through the 84 healthcare organizations that use its services, but it opted not to disclose how many of them were impacted by the incident, saying that this is under investigation.
The breach on Almerys was initially reported by local news outlets citing anonymous sources, and the firm is yet to release an official statement on the incident.
However, the data protection authority in France (CNIL) has now confirmed both data breaches and says that the attacks impacted 33 million people in the country.
“The CNIL was informed by Viamedis and Almerys of the cyberattack they fell victim to at the end of January,” reads the announcement.
“These operators, who manage the third-party payment for supplementary health insurance, saw the data necessary for their missions compromised during this breach. In total, this data leak concerns more than 33 million people.”
This makes the incident one of the most impactful cyberattacks in the country’s recent history, impacting nearly half its entire population.
Although the exposed data does not include financial info, it is still enough to raise the risk of phishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals.
CNIL states that it will ensure that Viamedis and Almerys inform impacted persons directly and individually, as required by the General Data Protection Regulation (GDPR).
If you suspect you are among the impacted, it is advisable to keep a close eye on your accounts and treat incoming communications, especially solicitations concerning health insurance cost reimbursements, with suspicion.
“Although contact data was not affected by the breach, it is possible that the data involved in the breach could be combined with other information from previous data leaks,” warns CNIL.
Finally, the data protection authority announced the launch of an investigation into this incident to determine what security measures were in place for the two companies and whether GDPR obligations were met.