The recent data breaches at two French health insurance operators have put the personal information of 33 million French citizens at risk. Both Viamedis and Almerys, which operate as medical third-party payment providers, reported security incidents in early February.
Viamedis, the leading provider of medical third-party payment in France, confirmed on February 1 that it had suffered a data breach. This breach allowed threat actors to gain unauthorized access to the company’s IT systems on January 29. Four days later, Almerys, another third-party payment operator, revealed that it had also experienced a similar incident.
As a result of the breaches, the personal information, including names, birth dates, social security numbers, and details of the victims’ contracts with their health insurance, could be exposed. However, it was reported that financial and medical data, along with postal and email addresses, have not been compromised.
In response to the breaches, the French data privacy watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced that it was opening an investigation to determine whether appropriate measures were taken in a timely manner by Viamedis and Almerys as required by the General Data Protection Regulation (GDPR).
The CNIL emphasized that the health insurance companies are responsible for informing their customers about the breach. Additionally, the regulatory body warned people to be cautious about any solicitations they may receive, especially if they concern reimbursements of healthcare expenses, and advised them to regularly check the activities and movements on their various accounts.
False information regarding the breaches has started circulating on social media, leading to confusion among French citizens. Résopharma, a service provider for health professionals, clarified that it does not have access to information about whether a patient’s health insurance company uses the two breached payment operators. The company urged individuals to check their health insurance cards or contact their insurance company directly for precise information on how their personal data is used.
Amidst the confusion caused by false information, Viamedis and Almerys are continuing their investigations to determine the full extent of the data leak. However, both companies have acknowledged that they do not have the exact number of individuals affected by the breach. The CNIL has also indicated that the estimation of 33 million French citizens affected by the breaches could be revised.
The breaches have raised concerns about the security of personal data and the potential impact on millions of individuals across France. As the investigation unfolds and the full extent of the leak is determined, there will likely be increased scrutiny on the measures taken by companies to protect the personal information of their customers.