Two massive healthcare data breaches just exposed more than half of France's population

Healthcare cross symbol concept art on a blue background
(Image credit: Getty Images)

Two French healthcare services firms have fallen victim to data breaches, affecting 33 million people.

Viamedis and Almerys handle payments for health insurance firms, and the stolen data includes marital status, date of birth, social security number, the name of the customer's health insurer and the guarantees of their contract. The data is believed to cover half the French population.

"Data such as banking information, medical data, health reimbursements, postal details, telephone numbers or even emails would not be affected by the violation," according to French data regulator CNIL.

"Although contact data is not affected by the breach, it is possible that the breached data could be combined with other information from previous data breaches."

It advises anybody whose data may have been affected to be cautious, particularly of any messages purporting to offer the reimbursement of health costs, and to make regular checks of their bank accounts.

The hackers are believed to have gained access through a phishing attack that gave them access to the log-ins of health professionals.

Viamedis says it's mobilized technical teams, and is carrying out an investigation alongside relevant authorities. As soon as it became aware of the breach, it shut down its third-party payment management platform.

"Beneficiaries will be able to continue to use their carte vitale and their third-party payment card; the temporary disconnection from the Viamedis platform will only have an impact on certain health professionals, in particular opticians and audio prosthetists," the company said. "A dedicated information system for healthcare professionals has been set up."

The Almerys breach, meanwhile, is believed to involve similar personal data, with the company saying that it is monitoring its systems for any further suspicious activity. 

As well as notifying CNIL, the company has filed a complaint with the public prosecutor and informed the National Agency for Information Systems Security (ANSSI) as eell as the users concerned.

CNIL said it first learned of the breach at the end of January, and is working with the health insurance companies using Viamedis and Almerys providers to inform everybody affected by the breach.

"Given the scale of the violation, the president of the CNIL decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the GDPR obligations," it said.

Data from the healthcare industry is particularly valuable to hackers, and cyber criminal groups have been ramping up attacks on the industry in recent years. 

According to research by Atlas VPN, in the US alone, 87 million patients were exposed due to data breaches across 2023, twice as many as during the year prior.

In Europe specifically, a report from the European Union Agency for Cybersecurity (ENISA) found that healthcare providers account for more than half (53%) of the total number of security incidents across both 2022 and 2023.

Organizations operating in the space have frequently been impacted by attacks on their supply chains and service providers, the agency found, with the median cost of an incident estimated to stand at around €300,000.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.