Massive cyberattack: the data of 33 million French people exposed

At the end of January 2024, two third-party payment management companies, Viamedis and Almerys, were victims of a large-scale cyberattack. The personal data of more than 33 million people has been compromised, or almost half of the French population.

The course of the cyberattack

This attack took place in a context of increasing cyberattacks against health organizations in France and around the world.

In 2023, there were more than 1,000 cyberattacks against hospitals and clinics in France, an increase of 30% compared to 2022.

Chronology of events

January 29, 2024

• Viamedis suffers a large-scale cyberattack.
• Hackers manage to infiltrate the company’s computer system and exfiltrate sensitive data. The hackers usurped the identifiers of caregivers to succeed in recovering the data of the insured.
• The attack is quickly detected by Viamedis, which implements measures to limit the impact of the attack.

February 1, 2024

• Viamedis informs its customers and the authorities of the cyberattack.
• The company communicates on the data that has been compromised, specifying that banking information, postal details, telephone numbers and email addresses are not affected.
• Viamedis is implementing an action plan to support its customers and help them protect themselves against the risks of fraud and identity theft.

February 5, 2024

• Almerys, another major player in third-party payment in France, announces that it has also been the victim of a cyberattack.
• The modus operandi seems similar to that of the Viamedis attack.

February 7, 2024

• It is revealed that the data of more than 33 million people was exposed during the Viamedis and Almerys cyberattacks.
• This is one of the largest cyberattacks ever to occur in France.
• The CNIL, National Commission for Information Technology and Liberties, is opening an investigation into these two attacks.

Data stolen and exposed

The hackers managed to steal the following information:

• First and last name.
• Date of birth.
• Social security number.
• Name of health insurer.
• Contract guarantees.

Actions & Recommendations for businesses and customers

Actions taken by platforms and authorities

• Disconnection of platforms as soon as intrusions are discovered to limit damage.
• Filing a complaint with the Public Prosecutor to initiate legal proceedings.
• Notification of the CNIL (National Commission for Information Technology and Liberties) for an investigation and potential sanctions.
• Information for customers and healthcare professionals by email and via the platform websites.
• Implementation of enhanced security measures to prevent future attacks.

Recommendations for potentially affected individuals

• Monitor your bank accounts and credit card statements vigilantly for suspicious activity.
• Remain vigilant against suspicious emails and calls that do not come from a reliable source.
• Change your passwords regularly and use strong, unique passwords for each account.
• Be wary of suspicious links and attachments in emails and never open them if you are not sure where they come from.
• Contact your bank or insurer if you suspect fraud.

Impacts and consequences of this cyberattack

The attack which affected Viamedis and Almerys had significant consequences for policyholders, businesses, and the health system.

Impacts on policyholders and customers

• Personal data leak: More than 33 million people were exposed, including their names, addresses, dates of birth, social security numbers and medical information.
• Risk of fraud and identity theft: Hackers can use stolen data to impersonate victims and carry out fraudulent transactions.
• Worry and stress: Victims of the cyberattack are concerned about the use of their personal data and the potential consequences, such as monitoring of bank accounts, blocking of bank cards, etc.

Impacts on affected businesses

• Reputational damage: Customer confidence in companies has been shaken. There may be a loss of confidence from customers but also from partners.
• Significant financial costs: Companies must invest in implementing stricter IT security measures and managing the consequences of the attack. Viamedis & Almerys will have to implement additional security measures, investigate the attack, establish crisis communications, etc.
• Legal risks: Companies can be sued by victims of the cyberattack. In addition, the CNIL can sanction the companies concerned if breaches have been noted in their IT security.

Impacts on the health system

• Disruption of the third-party payment system: Cyberattacks have led to delays in processing reimbursement requests and difficulties for healthcare professionals.
• Risk of violation of medical confidentiality: Patients’ medical data have been exposed, which can have serious consequences on their privacy.

Protect yourself from these cyberattacks

To prevent and avoid finding yourself in a situation similar to that of the third-party payer managers, Viamedis and Almerys, here are several tips to protect yourself from cyberattacks:

Ensuring the protection of personal data

It is essential to protect the personal data of customers, partners, and collaborators. To do this, we recommend:

• Limit the collection of personal data to what is necessary.
• Store personal data securely.
• Only share personal data with trusted third parties, who also have a secure system.
• Comply with regulations regarding the protection of personal data.

Raise awareness and train employees and collaborators

Hackers know that employees are often the weak link in IT security. They exploit their lack of knowledge to trick them into making mistakes that can lead to cyberattacks.

This is why it is essential to:

• Train teams in cybercriminal risks and good security practices.
• Implement a clear and concise data security policy.
• Organize simulated phishing attacks to test employee vigilance.

Phishing attacks

Cyberattacks and phishing are constantly increasing. Here are some recent statistics to give you an idea of the scale of the problem:

• In 2023, there was a 50% increase in phishing attacks compared to 2022.
• Phishing attacks are the most common type of cyberattack, with 91% of cyberattacks starting with a phishing attack.
• The most common types of phishing attacks are email attacks, SMS attacks, and phone attacks.
• The average cost of a phishing attack for a company is €35,000.

Running simulated phishing attacks is a great way to educate your employees about the risks of phishing and test them on how they would react to a real attack.

Implement effective IT security measures

Here is a set of measures to put in place to ensure good IT security.

• Install reliable security solutions and keep them up to date (antivirus, firewall, intrusion detection system (IDS), etc.). We strongly recommend using a vulnerability scanner.
• Regularly update software and operating system to address known vulnerabilities.
• Perform regular security audits to identify vulnerabilities in the IT system.

Vulnerability Scanner

A vulnerability scanner is a tool used to identify vulnerabilities in a computer system. This is a type of vulnerability assessment tool that can be used to scan systems for security vulnerabilities that could be exploited by attackers.

Vulnerability scanners can be a valuable tool for improving the security of computer systems.

However, it is important to note that they are not a foolproof way to find all vulnerabilities. It is important to carry out, at least once a year, an IT security audit, or Pentest.

Pentest

IT security audits are called Pentests. A pentest, or intrusion test, is a simulation of a computer attack carried out by a security expert.

The objective is to identify vulnerabilities in a computer system or network in order to correct them before they are exploited by hackers.