Two payment providers for the French medical insurance industry have been breached, and a total of over 33 million records that contain sensitive information have been exposed. The incident is the biggest data breach that has ever occurred in the country, thought to impact about half of its population.
France’s lead data protection authority is investigating, but there is little public information available at present other than the eye-popping number of records involved. One detail does stand out, however: it appears that employee phishing has once again led to a monster data breach.
Payment providers breached by unknown threat actor
The two data breaches came within a week of each other, and are likely the work of the same attackers. There is no good information yet on who exactly breached the payment providers, however, and only some scraps about how it took place.
One of those scraps is significant. Viamedis, the larger of the two breached payment providers, has said that employee phishing was the cause of their incident. The other provider, Almerys, only said that the hackers accessed a patient portal but not the company’s main internal network.
The incident throws more fuel on two cybersecurity fires: the seeming continued issues with requiring MFA and similar secondary layers of credential protection at organizations handling sensitive data, and material being used to feed massive “combo files” traded on the dark web.
The data breach apparently does not include bank details or medical information, and is actually relatively thin on contact information. The news is far from good, however, as the hackers may have obtained social security numbers and health insurance information from the payment providers.
Each of the companies has initiated an internal investigation, and France’s CNIL says that it is probing whether the data breaches involve GDPR violations or actionable cybersecurity failings. The French regulator has been one of the most active in this area among the EU nations, but there is not yet any sort of a timetable for the investigation.
Data breach breaks national record
With a total population of about 67 million, the data breach is thought to touch half of France and it is possible that nearly all of the adult population are impacted. Payment providers such as these are a central piece of the country’s health insurance system, and Viamedis is the largest of them.
The trend in the ransomware world of specifically targeting the healthcare industry remains a serious problem, as does continuing employee vulnerability to phishing. Healthcare has the unique problem of not just being one of the most heavily targeted sectors, but also one of the most consistently underfunded and unprepared for sudden or extended system outages. Unfortunately, the problem may well not go acknowledged outside of cybersecurity circles until more massive breaches that impact most of a country’s population appear.