Massive theft of social security data: 33 million people affected, CNIL launches investigation

More than 33 million people are affected by data theft from supplemental health insurance payer managers. The two operators informed the National Commission for Information Technology and Freedom (Cnil). Viamedis, which manages third-party payments for 84 supplemental health insurance plans, or 20 million people with Social Security, made the announcement last Thursday. The CNIL announced this Wednesday that Almerys had informed it that it had also been the victim of a cyberattack. Both are carriers that the health care professional consults to determine whether or not they can provide a third-party payment to a Social Security person.

“In the case of policyholders and their families, this includes marital status, date of birth and social security number, name of the health insurance company and guarantees of the concluded contract. Data such as banking information, medical data, health reimbursements, postal information, phone numbers or even emails will not be affected by this breach,” according to the CNIL. The President of the CNIL decided to carry out the investigation very quickly.


It is up to the supplementary health insurance companies using the providers Viamedis (owned in particular by the supplementary health insurance companies Malakoff Humanis and Vyv) and Almerys to individually and directly inform all affected persons as stipulated in the General Data Protection Regulation (GDPR). ), explains the commission.

If you are concerned, the CNIL will advise you be aware of the requests you may receive, especially if they are related to the reimbursement of health care costs and regularly check the movements in your various accounts.

Theft of identifiers and passwords of health professionals.

The attack was carried out by stealing the identifiers and passwords of health workers. The alert was issued on February 1 by Viamedis, which discovered the attack and warned other third-party payment platforms. A few days later, Almerys announced that it had also detected a breach.

According to information gathered by AFP from SP Santé (a subsidiary of Cegedim) and Actil (a subsidiary of Apicil), other major third-party payment platforms appear to have been unaffected.

In early February, Viamedis, which filed a complaint with the state attorney general, said it had disconnected its administration platform after discovering the breach, which did not prevent Social Security policyholders from using third-party payments.

Data that can be “interspersed with other files”

According to cyber security specialists interviewed by AFP in recent days, the exposed data does not have much value as such, but could potentially be used in future cyber attacks.

According to Damien Bancal, a leading market watcher, “it’s not worth a lot of data, there should also be at least one email and a phone number” so they can launch attacks quickly. blog.

Tamim Couvillers, a cybersecurity analyst at Vade, confirms that the data has little commercial value, but warns that “it can be quickly cross-referenced with other files.” So, he points out, having your target’s Social Security number “lends the credibility of a phishing email,” which consists of convincing an Internet user to click on a malicious link.

“This is fresh data,” Gérôme Billois, cybersecurity specialist at Wave stone, also commented. Almerys said on Wednesday that its central information system was not affected by the cyber attack. Only its “portal dedicated to healthcare professionals” was affected and shut down, the company said.

Leave a Comment