The personal information of 33 million French citizens could be exposed after two French health insurance operators suffered a data breach in early February.
Viamedis, France’s leading provider of medical third-party payment, confirmed on February 1 that it had suffered a data breach.
Medical third-party payment is a French system in which a health insurance provider advances the patient fee for a medical service on behalf of the national social security services. Viamedis is the payment operator for a number of such health insurance providers.
It was later reported that threat actors gained access to Viamedis’ IT systems on January 29.
Financial and Medical Data Not Compromised
Four days later, on February 5, another third-party payment operator, Almerys, said it had also experienced a similar incident.
Both breaches could affect 33 million French citizens.
The patients’ personal information, including names, birth dates, and social security numbers, could be exposed. Details of the victims’ contract with their health insurance could also have been compromised.
Although the extent of the breach is unknown, the French data privacy watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), said that financial and medical data, as well as postal and email addresses, have not been affected by the breach.
CNIL Opens Investigation Over GDPR Infringement
On February 7, the CNIL announced that it was opening an investigation, notably to assess whether appropriate measures have been taken in due time by Viamedis and Almerys as required by the General Data Protection Regulation (GDPR).
The CNIL added that health insurance companies are responsible for informing their customers.
A CNIL spokesperson told the French newspaper Le Monde that the number of people affected by the breaches was an estimation. “The amount may be revised upwards or downwards,” they added.
Almerys had told various French media that it did not have the exact number of beneficiaries affected by the exfiltration of personal data.
Viamedis and Almerys are continuing their investigations to determine the true extent of the leak.
False News Started Circulating
On social media, several French people have started sharing statements from their health insurance companies informing them whether they were affected.
Résopharma, a service provider for health professionals, said false information was circulating in French media claiming that patients could check whether their health insurance company was using either of the two breached payment operators.
However, the owner of Résopharma, R+ said it does not have access to such information.
“We invite you to check your health insurance card to see if one of the two parties [Viamedis and Almerys] is mentioned, or to contact your insurance company directly for a precise overview of how your personal data is used,” the company said in a public statement.
CNIL’s Recommendations
In its public statement, the CNIL warned that although contact data is not affected by the breach, it is possible that the breached data is linked to other information from previous data leaks.
The regulatory body issued a couple of recommendations to people who may have their personal data exposed. These include:
- Being cautious about the solicitations they may receive, especially if they concern reimbursements of healthcare expenses
- Checking the activities and movements on their various accounts regularly