Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The CNIL has launched an investigation into a significant data breach affecting over 33 million individuals in France, involving third-party payment operators Viamedis and Almerys. It is the biggest breach in France involving sensitive data.
Personal details including social security numbers and health insurance information were compromised, as well as banking details of healthcare professionals, raising the potential for phishing attacks. The CNIL advises increased vigilance against suspicious communications and emphasizes the importance of robust cybersecurity practices.
The GDPR underscores the need for stringent data protection, highlighting that breached entities may have failed to ensure adequate security measures. Clients of Viamedis and Almerys should verify data processing agreements, and possibly file criminal complaints, notify authorities and affected individuals, enhance security measures to prevent future breaches, and ensure full cooperation with the CNIL's investigation.
More than 33 million individuals in France have been affected by a data breach involving two third-party payment operators, Viamedis and Almerys. The Commission Nationale de l'Informatique et des Libertés (CNIL), France's data protection authority, has promptly initiated an investigation into this significant cybersecurity incident.
Late January, Viamedis and Almerys, key players in handling third-party payments for complementary health insurance, fell victim to a cyberattack, leading to the compromise of critical data necessary for their operations. The breach has exposed personal details of policyholders and their families, including names, dates of birth, social security numbers, and specifics of health insurance contracts. This data leakage was primarily due to a phishing attack targeting healthcare professionals. Hackers obtained credentials from these professionals, enabling unauthorized access to the service providers’ internal systems.
Adding to the severity, recent revelations have uncovered that the breach also compromised the banking details of healthcare professionals. The breached data, particularly when combined with information from previous leaks, could enable cybercriminals to construct detailed profiles for sophisticated phishing schemes.
In light of this major breach, it's important to highlight the obligations under the General Data Protection Regulation (GDPR) regarding the protection of data. The GDPR mandates stringent data protection requirements, especially for sensitive data. It places a significant responsibility on data controllers to ensure the security of the data they handle. In instances like the current situation, where Viamedis and Almerys, acting as data processors, have experienced a breach, the health insurance organizations that utilize their services are also concerned. These organizations are both victims, like the data subjects, and could also be considered at fault for not ensuring and verifying that their processors had implemented adequate technical and operational measures to protect the data effectively.
The CNIL has issued advice urging those affected to exercise increased caution against any suspicious emails or phone calls, especially those purporting to be from health insurance companies or social security offices, and to refrain from clicking on links or updating banking information through such communications.
Furthermore, the service providers are or are about to update their website, advising individuals and healthcare professionals to change their email passwords to stronger, more secure ones, emphasizing the seriousness of the situation.
The CNIL's ongoing investigations aim to assess the adequacy of the security measures in place at the time of the incident and the responses following the breach, in compliance with the General Data Protection Regulation (GDPR). As already noted in a sanction published in April 2022, the Processor of sensitive data can be directly subject to hefty fines from the CNIL in case of data breach (the Dedalus Case).
This breach serves as a stark reminder of the persistent cyber threats facing personal and financial data, underlining the importance of robust cybersecurity measures, incident preparedness and vigilant data protection practices. Third parties vendors must be regularly audited.
The key recommendations for any affected organizations, such as the clients of Viamedis and Almerys, the health and mutual insurance companies, are:
Authored by Patrice Navarro.