The French healthcare and insurance industries have been shaken at the start of 2024 by the announcement of a massive breach of personal data by two of its main service providers, Viamedis and Almerys. Both said they were victims of data compromises on an unprecedented scale in the French national territory. Their platforms were infiltrated by cybercriminals in late January/early February, as the attackers reportedly accessed archives of personal data including social security numbers and professional data.
On 7 February, the French National Commission on Informatics and Liberty (CNIL), the national authority responsible for oversight of personal data protection, revealed that over 33 million individuals — nearly half of the French populace — were potentially affected. This figure is drawn from initial notifications from Viamedis and Almerys, who together service over 150 mutual insurance partners and process data for nearly 40 million insured individuals. As the investigation proceeds, a precise count of the affected individuals is still unknown.
The compromised data includes names, addresses, dates of birth, social security numbers and specific insurance policy data. Financial and medical information was apparently not affected. However, professional information regarding medical providers, which is critical for managing third-party payments, has been exposed. This can seriously complicate the patient care process and create new challenges, such as in sectors like optometry, where upfront costs are substantial.
This cyberattack underscores an ongoing problem of keeping personal data safe in the digital age. While it’s not as large-scale as something like the 2017 Equifax breach, which exposed sensitive info for about 147 million individuals, it’s large enough to reinforce that cybersecurity threats are a worldwide problem. It also illustrates the relatively sophisticated techniques that cybercriminals are using: it isn't just a case of targeting a website, but exploiting weaknesses in entire digital ecosystems to get access to huge amounts of information.
The Viamedis and Almerys incident doesn't end with the leak, either. People affected are at immediate risk of phishing attempts that use the exact sort of personalized info they’ve lost. Also, the long-term risk of identity fraud reveals the real-world implications of attacks like these. Now, victims not only have to deal with the problem of having their personal data leaked, but also prepare for the possibility of fraudulent purchases, having their credit cancelled or going through the hassle of reclaiming their identities. This is a clear example of why constant vigilance and protective measures against such threats are necessary when handling large amounts of personal data.
This news is also a reminder of the need for both private and corporate customers to practice sound security policy. On the part of users, this includes being extremely vigilant when someone contacts us unsolicited, asking ourselves to whom we give information before we share it and, in general, being ultimately responsible for our own security. Companies, for their part, must reflect these measures in their defense strategies and implement in-depth data protection. More importantly, the incident underscores the need for digital trust, which demands both technical solutions and a shift in organizational culture to ensure personal data is protected.
Building and maintaining digital trust is anything but simple. It requires a sustained and evolving effort to protect ourselves against an increasingly dangerous array of cyber threats, an ongoing and substantial investment in cybersecurity, and a commitment to open and accountable measures that govern the data entrusted to us. After all, as digital interactions become an increasingly fundamental part of our daily lives, protecting that personal information is the cornerstone upon which trust in our digital economy rests.
In summary, the cyberattack against Viamedis and Almerys reminds us once again that all digital infrastructure is vulnerable (and that we are all potential targets), as well as about the importance of individual vigilance and the need to embrace digital trust. Safeguarding our data has never been more vital, so users and businesses must accept our collective responsibility to keep personal information safe. The road to digital trust is long and complex, but we can create a safer digital society through continued education and implementation of the right frameworks.
About the author: Pablo Ballarin is an independent cybersecurity consultant who helps companies in a variety of industries define and implement their cybersecurity strategies to establish trust. Often, trust also requires managing the risks associated with emerging technologies, such as lack of transparency, loss of human autonomy, bias and security. For this reason, his advisory services also cover responsible AI.
Pablo is founder of Balusian, professor, lecturer, member of the scientific council of IAEAI (Israel Association for Ethics in Artificial Intelligence), board member of ISACA Valencia, member of the ISACA Emerging Trends Working Group and coordinator of the Center for Industrial Cybersecurity (CCI) in Spain.
Pablo is a Telecommunications Engineer, MsC in Artificial Intelligence and is currently finishing an MsC in Philosophy for Contemporary Challenges. He holds the following professional certifications:CISM, CISA, CRISC, CDPSE, CSX-F, CISSP, CEET, CEHv9, ISO 27001 LA, TOGAF, ISO 20000-1, ITILv3.