20 million health insurance policyholders in France at risk following data breach

Malakoff Humanis, a French provider of insurance products and services, has disclosed a data breach that exposed the personal information of as many as 20 million policyholders in France.

The breach occurred at one of the insurance giant’s subcontractors, Viamedis, in charge of managing third-party payments for complimentary health insurance.

In an email to its customers on Feb. 1, Malakoff Humanis said that Viamedis fell victim to a cyberattack that compromised datasets including names, date of birth, marital status, social security numbers and health insurer names of policyholders and their families.

“We inform you that Viamedis, the organization to which we subcontract the management of third-party payment for complementary health insurance, has just suffered a cyberattack,” reads a machine-translated version of the health insurance provider’s letter.

Malakoff Humanis said no banking information, medical data, postal details, telephone or email addresses were compromised, since this information is not stored on the platform.

Additionally, Christophe Candé, general director of Viamedis, told the local press that the company was not the victim of a ransomware attack.

“A healthcare professional’s account was phished,” he said.

Since the phishing attack, the platform managed by Viamedis has been offline, with users greeted by the following message:

“This site, intended for healthcare professionals, is temporarily interrupted. All teams are mobilized so that it can be reopened under maximum safety conditions, as quickly as possible.”

Despite the platform being inaccessible, Candé said, "beneficiaries will be able to continue using their vital card and their third-party payment card.”

The company has also notified the National Commission for Information Technology and Liberties (CNIL) and the National Agency for Information Systems Security (ANSSI) of the breach.

What are the potential consequences for beneficiaries?

The threat actors behind the attack could use the exposed data to conduct various social engineering schemes to defraud impacted policyholders and sell the data on underground forums.

Millions of beneficiaries could fall for a phishing email or phone call asking them to confirm sensitive information and provide passwords or credit card and bank details.

Moreover, the data could be reused over and over again by various malicious actors.

With increasing cyberattacks against healthcare professionals and organizations that lead to massive data breaches and hijacked customer information, it has become imperative for individuals to remain vigilant, monitor accounts, and never respond to unsolicited requests for information.

Want to stay on top of data breaches and leaks of personal information that end up on the dark web? Check now if your personal info has been stolen or made public online, with Bitdefender’s Digital Identity Protection service.

Our identity protection service hunts for exposed email addresses, breached passwords, and other personal data on the surface and dark web. You can stay on top of privacy threats with 24/7 data breach alerts, concise one-click action items, and advice to help you prevent financial damage.