Massive theft of health data: what are the risks for the people concerned?

It is a large-scale attack whose contours are difficult to discern. This Wednesday, February 7, the CNIL lifted the veil on a massive data leak concerning two health operators, Viamedis and Almerys. “In total, this data leak concerns more than 33 million people,” details the CNIL in its press release.

The data concerned are, for policyholders and their families, marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract subscribed. “Neither banking information, nor medical data, nor health reimbursement, nor postal details, telephone numbers or even emails are affected,” assured several mutual insurance companies in messages addressed to their customers. But then what can hackers do with this data?

“It’s as if the hackers had stolen keys or master keys,” analyzes Denis Jacopini, legal expert in cybercrime. This data can now be resold or used by hackers on the same network for a return on investment. Several options are then available to scammers. “They can try to pass themselves off as you to institutions or companies,” says the specialist. For example, the social security number is necessary to connect to your Ameli account. Once infiltrated into their victim's account, scammers can divert allocations to their own bank accounts.

“Scammers can also pose as organizations and try to deceive you,” adds Denis Jacopini. With data like name, date of birth and insurance contract details, a hacker can easily pose as a bank or insurance employee to extort money from users whose details have leaked . “With certain well-chosen details, it is quite easy to gain the trust of certain people,” assures the cybersecurity specialist. “This personal information will make it possible to carry out very effective fishing campaigns, by email or SMS,” confirms Pierre Penalba, former head of the first group to fight against cybercrime of the National Police. Fake messages with all your contact details will appear larger than life.”

To prevent scams that could happen. Denis Jacopini recommends remaining on your guard. “If someone shows up on the phone as your bank or insurance advisor and asks you for an unusual action, it’s probably a scam,” warns the expert. The safest way is to make a return call to the usual number or to a number listed on official documents. “It’s the only solution to be sure to speak to the same person,” insists Denis Jacopini.

For her part, given the scale of the attack, the president of the CNIL decided to carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate. with regard to GDPR obligations. “How did the hackers manage to penetrate the company site and why the data was not encrypted?, asks Pierre Penalba. Everyone has the right to ask themselves the question.” This Thursday, February 8, the Viamedis site, one of the two hacked operators, was suspended "so that it can be reopened in maximum security conditions, as quickly as possible" according to the message on the page of welcome.