Civil status, social security number, information on mutual insurance: “more than 33 million” French people are affected by data theft during a cyberattack against third-party payment managers, the CNIL revealed on Wednesday.
How did this hack happen?
Two companies serving as intermediaries between health professionals – doctors, pharmacists, opticians, etc. – and the complementary health insurance companies were the target of an attack: Viamedis (owned in particular by the complementary health insurance companies Malakoff Humanis and VYV) and Almerys. These are the operators that a health professional questions to find out whether or not he can grant third-party payment to a social security person.
The attack was carried out by the usurpation of the identifiers and passwords of healthcare professionals. The alert was given on February 1 by Viamedis, which detected the attack, disconnected its management platform upon discovery of the intrusion and notified the other third-party payment platforms. A few days later, Almerys announced that it had also detected an intrusion. The general director of Viamedis, Christophe Candé, explained that it was not a “ransomware” attack, but an intrusion into the platform. “A healthcare professional’s account was phished,” he revealed.
Almerys and Viamedis have not released any information to understand whether the attacks were simply aimed at stealing data or whether they could have other objectives, such as planting ransomware. Viamedis also filed a complaint with the public prosecutor. The other major third-party payment platforms do not appear to have been affected, according to information collected by AFP from SP Santé (subsidiary of Cegedim) and Actil (subsidiary of Apicil).
What data is concerned?
“More than 33 million people [sont concernées par une violation de données, qui comprend] for policyholders and their families: marital status, date of birth and social security number, name of the health insurer as well as the guarantees of the contract subscribed,” the CNIL said in a press release.
But, according to the digital privacy watchdog, “banking information, medical data, health reimbursements, postal details, telephone numbers, [ou encore les adresses électroniques] would not be affected.
What are the risks ?
According to cybersecurity specialists interviewed in recent days by AFP, the exposed data does not have great value as such, but could potentially be used in future cyberattacks. “It’s not worth much, as data, there should also be at least an e-mail and a telephone number [pour qu’elles permettent de monter des attaques rapidement]”, assures Damien Bancal, great observer of the black market for stolen data and host of Zataz.coma French information site mainly dealing with computer crime.
Tamim Couvillers, analyst at the cybersecurity company Vade, confirms that this data has little market value, but warns that it “can quickly be crossed with other files”. Thus, he emphasizes, having the social security number of your target “allows you to give credibility to an email from phishing [hameçonnage]”, consisting of encouraging the Internet user to click on a malicious link. “This is fresh data,” also commented cybersecurity expert Gérôme Billois, from the company Wavestone.
What can those affected do?
To find out if information about you, particularly your social security number, is potentially out there, you can go to the site Resopharma.fr. This site allows you to find out if your health insurance is managed by one of these two third-party payment providers.
The CNIL advises victims of this data theft to “be careful [es] on requests [qu’elles peuvent] receive, in particular if they concern reimbursements of health costs, [mais aussi] to periodically check the activities and movements on [leurs] different accounts.”[Il est en effet] “It is possible that the data that was the subject of the breach is coupled with other information from previous data leaks.”
In addition, if in doubt, it is advisable to change the password of the email address associated with your mutual insurance company and your personal space on Ameli. “The social security number is unique. You cannot change it. However, the associated password must also be unique. You must change it for security, in order to prevent someone from entering your account, whether it is that of the mutual insurance company or your Ameli service”, explains to TF1 Luména Duluc, cybersecurity expert and director of the French Information Security Club (Clusif).
How can we prevent these types of hacks in the future?
“Given the scale of the violation”, the CNIL announced that it would “conduct investigations very quickly”, in particular to verify whether the security measures of the operators affected by the cyberattack complied with their data protection obligations. She also called on the supplementaries using Viamedis and Almerys to inform “individually and directly” all their policyholders concerned, warning that she will ensure that this is done “as quickly as possible”.