The French Data Protection Agency, CNIL, is investigating two data breaches at healthcare payment processors that have affected around 33 million individuals –almost half the population of the country. Viamedis and Almerys provide technological solutions for managing third-party payments for many health insurance and mutual insurance providers. The solutions provided by the firms streamline payments in France’s complex insurance coverage system.
Viamedis confirmed last week that it recently experienced a cyberattack and data breach that resulted in the exposure of the sensitive data of policyholders, their families, and healthcare professionals. The compromised information includes names, dates of birth, insurer information, Social Security numbers, marital status, and civil status. Viamedis said banking information, medical data, health reimbursements, addresses, email addresses, and telephone numbers were not compromised as it does not store that information. The incident is still under investigation and Viamedis has yet to confirm how many of the 20 million individuals it serves have been affected. A data breach at Almerys has been reported in the media but the company has yet to publicly confirm a data breach, although as required by the General Data Protection Regulation (GDPR), the breach has been reported to CNIL.
CNIL has issued an alert that explained that Viamedis and Almerys both fell victim to a cyberattack at the end of January in which sensitive data was compromised. Combined, more than 33 million individuals have had their sensitive data exposed. Given the extent of the data breaches, CNIL decided to quickly initiate investigations into the two firms to determine if the breaches were due to a failure to implement reasonable and appropriate security measures, as required by the GDPR. CNIL is still investigating and has yet to confirm if there have been GDPR violations.
All individuals affected will be notified directly about the data breach by the insurance companies that use the solutions provided by Viamedis and Almerys and CNIL said it is taking steps to ensure notifications are issued as quickly as possible. CNIL warned that while contact information was not compromised, it would be possible to obtain that information from other sources, such as previous data breaches.