“We inform you that Viamedis, the organization to which we subcontract the management of third-party payment for complementary health insurance, has just suffered a cyberattack”, announced the supplementary health insurance giant Malakoff Humanis, in an e-mail sent to its customers on Thursday February 1. In question, phishing of the account “from a healthcare professional”explained Christophe Candé, general director of Viamedis.
As a result, the data exposed could be colossal. Viamedis manages 84 complementary health insurance plans, representing 20 million policyholders. It is linked to mutual insurance companies such as Malakoff Médéric, Audiens and Santéclair. “The personal data exposed is limited and is the following for yourself and your family: marital status, date of birth and social security number, name of your health insurer and guarantees of your contract”specifies Malakoff Humanis in his letter.
The site still inaccessible, disruptions to be expected for certain health professionals
The Malakoff Humanis group, however, insists that banking information, medical data, postal details and telephone and email numbers are not stored on the platform. He assures that “the platform has been disconnected”, and a complaint was filed with the public prosecutor. The National Commission for Information Technology and Liberties (CNIL) and the National Agency for Information Systems Security (ANSSI) were also notified.
According to the general director of Viamedis, “beneficiaries will be able to continue to use their Carte Vitale and their third-party payment card”even if access to the platform could be difficult for “certain healthcare professionals, particularly opticians and hearing aid specialists”. For the moment, the site remains inaccessible, with no information on its recovery.
Data that can be reused for phishing attempts
Access to this data by hackers poses a double risk. By having the social security number, hackers can access various public services, such as Ameli, the Health Insurance website, or abuse the FranceConnect access platform to multiple procedures. They also risk creating personalized phishing emails, imitating the form of mutual insurance letters, to extract new information.
In the space of a year, other cyberattacks allowed hackers to leak social security numbers. In August 2023, Pôle emploi was targeted, after hackers targeted a service provider of the agency, the company Majorel. In June 2023, it was up to the Rennes University Hospital (Ille-et-Vilaine) to pay the price, before a month later, personal data was published on the dark web.
Selected for you