More than 33 million individuals in France have been affected by a data breach involving two third-party payment providers: Viamedis and Almerys. France’s data protection authority, the National Freedom of Information Commission (CNIL), immediately launched an investigation into this serious cybersecurity incident.
In late January, Viamedis and Almerys, two leading third-party payment companies for complementary health insurance, fell victim to a cyberattack that compromised critical data needed for their operations. The breach exposed the personal information of policyholders and their families, including names, dates of birth, social security numbers, and health insurance policy details. This data breach was the result of a phishing attack primarily targeting healthcare workers. The hacker obtained credentials from these professionals and gained unauthorized access to the internal systems of his service provider.
Adding to the seriousness, recent revelations revealed that this breach also compromised the banking details of healthcare workers. Compromised data, especially when combined with information from previous breaches, could allow cybercriminals to build detailed profiles of sophisticated phishing schemes.
In view of this serious breach, it is important to highlight our obligations under the General Data Protection Regulation (GDPR) regarding data protection. GDPR mandates strict data protection requirements, especially for sensitive data. Data controllers have a significant responsibility to ensure the security of the data they handle. In cases such as the current situation where data processors Viamedis and Almerys encountered a breach, health insurance organizations that use their services are also concerned. Both of these organizations are victims as well as data subjects, and both failed to ensure and verify that processors had in place appropriate technical and operational measures to effectively protect the data. There is a possibility that this could be considered negligent.
CNIL urges affected people to be extra cautious about suspicious emails and phone calls, especially calls that appear to be from health insurance companies or the Social Security Administration, and to avoid clicking on links through such communications. issued an advisory urging people not to update their banking information.
Additionally, service providers are updating or about to update their websites and are advising individuals and healthcare professionals to change their email passwords to stronger and more secure ones, emphasizing the seriousness of the situation. ing.
The CNIL’s ongoing investigation aims to assess the adequacy of the security measures in place at the time of the incident and the post-breach response, in compliance with the General Data Protection Regulation (GDPR). As already stated in the sanctions issued in April 2022, a processor of sensitive data is subject to the risk that in case of a data breach (Dedalus case) he could be subject to large fines directly from the CNIL. there is.
This breach serves as a stark reminder of the persistent cyber threats facing personal and financial data and highlights the importance of robust cybersecurity measures, incident preparedness, and prudent data protection practices. . Third-party vendors must be audited regularly.
Key recommendations for affected organizations, including customers of health insurance and mutual insurance companies Viamedis and Almerys, include:
- Check your data processing agreements: Ensure all agreements with third-party processors, such as Viamedis and Almerys, include strong data protection obligations and clear responsibilities and responsibilities in the event of a data breach. To do.
- Consider filing a criminal complaint: Affected organizations may need to file a criminal complaint to seek potential compensation from insurance companies (see French law known as “LOPMI”) .
- Notify authorities and data subjects: In accordance with the GDPR’s breach notification requirements, it is essential to promptly notify the CNIL and affected individuals of the breach.
- Implement appropriate security measures: Review and strengthen your cybersecurity measures to prevent future breaches. This includes conducting regular security audits, updating systems, and training staff on data protection best practices.
- Cooperate with the CNIL: We will fully cooperate with the CNIL’s investigation and provide all information and access necessary to facilitate a thorough investigation of the breach and its effects.
