We learned yesterday: at the end of January, cyberattacks successively affected two third-party payment specialists, and could well concern you directly. According to the CNIL, the offense gained access to the personal data of 33 million French people. What should we fear?
The attack is unprecedented in Europe. Almerys and Viamedis, two companies which serve as financial intermediaries between health players such as doctors, pharmacists and mutual insurance companies, announced that they had been victims of a massive theft of information, on the platforms which manage the third-party paying in recent days. A data leak “which would concern more than 33 million people” said on February 7, the National Commission for Information Technology and Liberties (CNIL). That’s almost one in two French people.
What data was collected during the attacks?
In detail, the stolen data concerns: marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract taken out, of the insured and their family. However, no “banking information” or “medical data” would have been stolen, specifies the CNIL, even if vigilance remains essential.
How do I know if my information has been stolen?
The French people concerned are those whose mutual insurance works with Almerys or Viamedis. If this is the case with your mutual insurance company, you should find mention of one of these organizations directly on your third-party payment card.
In any case, the CNIL explains that it is up to mutual insurance companies to warn each insured victim of the data leak. All complementary health insurance customers of Viamedis and Almerys should therefore inform “inindividually and directly all the people concerned (…) as quickly as possible”that is to say in the coming days.
To find out for sure, you can also call your mutual or complementary insurance to find out if they were in contact with these two companies which were the subject of the security breach.
What are the risks if my data is stolen?
Contacted by TipsForWomens, a cybersecurity specialist explains to us that the main risk of this intrusion is to fuel future phishing attacks (phishing, or scams) by email or telephone. “The stolen data can help give credibility to the approach of fake mutual insurance brokers, for example, who will try to reassure you. After all, they have your date of birth, and your social security number… Which can mislead you. This data in their possession can reinforce phishing scenarios in the more or less near future.”
The other direct threat that our expert sees is that of access to certain sites without your knowledge. “The social security number is currently used as an identifier for certain state services. Fortunately, this was locked last year for the most sensitive sites (via Europe Connect +) but it remains an identifier in some cases, and even if it is necessary to add a code, it still represents part of the key. .”
How to best protect yourself?
Faced with the threat, the CNIL therefore calls for the greatest caution regarding possible requests, whether by telephone or email, which would use your data as a guarantee of credibility. She reminds that under no circumstances will an informative email like those you should receive ask you to click on a link to confirm your data or even less your bank account.
Requests for reimbursement of health costs should also invite you to verify the sender and to connect directly to the official Health Insurance website or that of your mutual insurance company to verify this information.
Unfortunately, beyond this vigilance, there is not much more you can do to get out of the risk zone. A social security number or date of birth cannot be changed. “What is infuriating with this type of leak is that ultimately the affected beneficiaries do not have much room for maneuver on a personal level to protect themselves. It is the mutual insurance companies that are affected and we can only rely on our vigilance to avoid the risk” regrets our expert.
The CNIL, however, advises you to periodically check the activities and movements on your various accounts. And report emails that you consider doubtful on the government platform Pharosby selecting the “scam” category.