Third-party payment hacking: are our personal data effectively protected?

Generally, these two operators managing third-party payment for complementary health insurance remain unknown to the general public. But Viamedis and Almerys made headlines after having to acknowledge a cyberattack affecting their IT infrastructure.

If these two companies remain very discreet about the technique used by the attackers, leaks in the press suggest a very classic process: phishing or phishing. Medical professionals have reportedly taken the hackers’ bait and revealed their credentials to gain access to its systems. Once in possession of these precious keys, the attackers would have taken advantage of vulnerabilities to penetrate the network and access the databases.

This major data leak includes, for policyholders and their families, marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract taken out.

The CNIL and the two third-party payment platforms indicated that neither banking information nor strictly medical data, nor telephone numbers or emails had been stolen.

But the most annoying thing is that cyberattackers have our social security number. While a data leak regarding usernames and passwords may have limited impact, as long as the people affected react quickly by changing their passwords, it is a different matter with the social security number.

Impossible to change it! Worse, this information is essential to access numerous online platforms via the France Connect service: taxes, retirement, benefits, unemployment, renewal of identity papers, vehicle registration, etc.

A fine of 1.5 million euros

« If you are an affected person, the CNIL advises you to be careful about the requests you may receive, in particular if they concern reimbursements of health costs and to periodically check the activities and movements on your various accounts “. Do not click on messages (SMS and emails) usurping health organizations (Ameli, complementary health) which ask you for bank card details under different pretexts: computer failure, cyber attack, update, etc.

This type of scam did not wait for the cyberattack affecting Viamedis and Almerys to multiply. Who has not received an SMS supposedly sent by Ameli asking you to pay around ten euros to update your Vitale card?

The most worrying thing about this affair is that the protection of our personal data does not seem to be very reinforced and, above all, monitored in real time to spot the slightest signals of an infiltration in progress. France, however, has an imposing legal arsenal regarding the confidentiality of personal data.

The French law on the protection of personal data is Law No. 2018-493 of June 20, 2018. It adapts the law of January 6, 1978 relating to computing, files and freedoms to the European legal framework which entered into force on the 25 May 2018. At the European level, the General Data Protection Regulation (GDPR) has been enforceable since 2019 to protect citizens against these leaks. And despite these measures, incidents are increasing. Pôle Emploi was the victim of a major data breach in August 2023.

Fortunately, companies are being sanctioned. Following a massive leak of health data disclosed concerning nearly 500,000 people in February 2021, the CNIL sentenced the company Dedalus Biologie to a fine of 1.5 million euros, in particular for breach of its data security obligation.

Image credit of one: freepik