Viamedis and Almerys are responsible for managing third-party payment for complementary health insurance. Marital status, date of birth and social security number are among the information stolen from social security holders during the attacks.
:quality(50)/2023/07/05/64a55fd777de4_placeholder-36b69ec8.png)
Published
Update
Reading time: 1 min
:quality(50)/2024/02/07/000-par3515258-65c3c8dd4ec36441909623.jpg)
The National Commission for Information Technology and Liberties (Cnil) announces the opening of an investigation, Wednesday February 7, after the recent hacking of two third-party payment operators, Viamedis and Almerys. She mentions a violation “of magnitude”since the data of 33 million people are affected. “The CNIL was informed by [ces sociétés] of the computer attack including [elles] were victims at the end of January”, specifies a press release. These operators are responsible for managing third-party payment for complementary health insurance. “The data concerned are, for the insured and their family, marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract taken out.”
On the other hand, continues the CNIL, banking information, medical data, health reimbursements, postal details, telephone numbers and even emails “would not be affected by the violation”. At this stage, the organization is not yet able to indicate which policyholders are affected. It refers to “THE complementary health insurance which uses hacked companies”and who must inform “the beneficiaries concerned as provided for in the General Data Protection Regulation (GDPR)”.
An intrusion into the Viamedis platform
Lhe president of the CNIL, Marie-Laure Denis“decided to carry out investigations very quickly in order to determine in particular whether the security measures implemented prior to the incident and in response to it were appropriate with regard to the obligations of the general data protection regulation”.
At the beginning of February, Viamedis, which filed a complaint with the public prosecutor, indicated that it had disconnected its management platform after the discovery of the intrusion, which did not prevent policyholders from benefiting from third-party payment. Its general director, Christophe Candé, explained that it was not a ransomware attack but an intrusion into the platform. “A healthcare professional’s account was phished”he then revealed.