More than 33 million individuals in France have been affected by a data breach involving two third-party payment operators, Viamedis and Almerys. The Commission Nationale de l'Informatique et des Libertés (CNIL), France's data protection authority, has promptly initiated an investigation into this significant cybersecurity incident.

Late January, Viamedis and Almerys, key players in handling third-party payments for complementary health insurance, fell victim to a cyberattack, leading to the compromise of critical data necessary for their operations. The breach has exposed personal details of policyholders and their families, including names, dates of birth, social security numbers, and specifics of health insurance contracts. This data leakage was primarily due to a phishing attack targeting healthcare professionals. Hackers obtained credentials from these professionals, enabling unauthorized access to the service providers’ internal systems.

Adding to the severity, recent revelations have uncovered that the breach also compromised the banking details of healthcare professionals. The breached data, particularly when combined with information from previous leaks, could enable cybercriminals to construct detailed profiles for sophisticated phishing schemes.

In light of this major breach, it's important to highlight the obligations under the General Data Protection Regulation (GDPR) regarding the protection of data. The GDPR mandates stringent data protection requirements, especially for sensitive data. It places a significant responsibility on data controllers to ensure the security of the data they handle. In instances like the current situation, where Viamedis and Almerys, acting as data processors, have experienced a breach, the health insurance organizations that utilize their services are also concerned. These organizations are both victims, like the data subjects, and could also be considered at fault for not ensuring and verifying that their processors had implemented adequate technical and operational measures to protect the data effectively.

The CNIL has issued advice urging those affected to exercise increased caution against any suspicious emails or phone calls, especially those purporting to be from health insurance companies or social security offices, and to refrain from clicking on links or updating banking information through such communications.

Furthermore, the service providers are or are about to update  their website, advising individuals and healthcare professionals to change their email passwords to stronger, more secure ones, emphasizing the seriousness of the situation.

The CNIL's ongoing investigations aim to assess the adequacy of the security measures in place at the time of the incident and the responses following the breach, in compliance with the General Data Protection Regulation (GDPR). As already noted in a sanction published in April 2022, the Processor of sensitive data can be directly subject to hefty fines from the CNIL in case of data breach (the Dedalus Case).  

This breach serves as a stark reminder of the persistent cyber threats facing personal and financial data, underlining the importance of robust cybersecurity measures, incident preparedness and vigilant data protection practices. Third parties vendors must be regularly audited.

The key recommendations for any affected organizations, such as the clients of Viamedis and Almerys, the health and mutual insurance companies, are:

1. Verify Data Processing Agreements: Ensure that all agreements with third-party processors like Viamedis and Almerys include strong data protection obligations and clear responsibilities and liabilities in the event of a data breach.
2. Consider Filing a Criminal Complaint: Affected organizations may need to file a criminal complaint to pursue potential indemnification from insurers (see the French law known as “LOPMI”).
3. Notify Authorities and Data Subjects: It's imperative to promptly inform the CNIL and affected individuals about the breach, following GDPR requirements for breach notification.
4. Implement Proper Security Measures: Review and enhance cybersecurity measures to prevent future breaches. This includes conducting regular security audits, updating systems, and training staff on data protection best practices.
5. Cooperate with the CNIL: Fully collaborate with the CNIL's investigation, providing all necessary information and access to facilitate a thorough examination of the breach and its implications.