What we know about the massive hacking that concerned 33 million French people

Which companies are attacked?

Viamedis (a subsidiary of Malakoff health insurers Humanis and Vyv) and Almerys (an independent Be-Ys group) are third-party payment operators on behalf of health insurers. In particular, they allow health professionals (especially pharmacists, opticians) to verify that their client is a member of supplementary health insurance and is entitled to third-party payment. Almeris thus has 230,000 allied health professionals.

What method of attack?

Attacker(s) managed to get their hands on username/password pairs of healthcare professionals. Once connected, the attackers were able to “suck the display pages” of Social Security insured individuals eligible for third-party payments using “a bot,” an automated process, according to Almeris.

Attackers would have remained on the periphery of the Elmeris system, only on portals allowing data consultation. The company’s central information system “did not suffer any intrusion”, according to Almeris. The attack originated from “2 IP addresses” that were “identified”.

What data was stolen?

According to the CNIL, “the relevant data, for policyholders and their families, are marital status, date of birth and social security number, the name of the health insurer as well as the contractual guarantee subscribed”. It does not contain important information for hackers like banking information, medical data, health reimbursement, postal details, telephone number, email etc.

Stolen data alone does not allow attacks to be mounted and the data has almost no value on the black market, experts explain. However, if they are crossed with other files by hackers with good organization, they make it possible to mount phishing attacks. The hacker will have information at his disposal that will allow him to establish his credibility in the eyes of his victim.

What to do to protect yourself?

Supplemental health insurance companies are required by law to personally notify people whose data has been stolen. To Concerned: Be extra vigilant and strictly implement safety instructions given by all online operators in the health sector or elsewhere.

“You should never communicate personal and/or banking data, passwords, etc. by telephone or e-mail,” ViaMedics reminded Thursday. In the case of a fraud attempt, you must “keep all the evidence (messages, website address, screenshots, etc.) and declare it on the government website dedicated to this purpose, internet-signalement.gouv.fr », the same source indicates. .

What about health professionals?

They must have been affected too. According to the Federation of Pharmaceutical Unions of France (FSPF), Viamedis indicated that the email address, Viamedis login, RIB, Siret number (…) may have been stolen. Viamedis has made available a toll-free number for professionals: 0805 62 00 10

How many people were affected?

The exact extent of the data leak is still unclear. According to the CNIL, the data leak “concerns 33 million people”. But it is not certain that pirates actually have a file of 33 million names today. According to the information known to date, this figure is based on the number of people that Viamedis and Almeris mentioned, and not on the number of people whose data was actually copied. There could also be duplicates, said an expert.

What judicial and legal consequences?

The CNIL (the French digital rights watchdog) launched an investigation to determine whether the two companies had properly implemented the security procedures required by the European data law (GDPR). Both the companies filed a complaint before the public prosecutor. Anssi (French IT Security Agency) has been alerted.

Examples in France?

In 2021, the Assistance publique des Hôpitaux de Paris (AP-HP) revealed that the personal data of 1.4 million people who had taken a Covid test had been stolen in a computer attack. This data does not include any medical components but includes “the identity, social security number, and contact details of those tested.”

That same year, the Paris prosecutor’s office launched an investigation into the leak of sensitive medical data of 500,000 people at medical analysis laboratories. This includes information on patients’ identities and sometimes their health conditions (such as pregnancy, HIV infection). Daedalus Health software, used by medical analysis laboratories, was identified as the source of the leak after it was hit by a computer attack.