Data breach at French healthcare services firm puts millions at risk

French healthcare services firm Viamedis suffered a cyberattack that exposed the data of policyholders and healthcare professionals in the country.

Though the company's website remains offline at the time of writing, an announcement was posted on LinkedIn warning of the data breach.

The data exposed in the attack includes a beneficiary's marital status, date of birth, social security number, name of health insurer, and guarantees open to third-party payment. 

The company has clarified that the breached systems did not store people's banking information, postal details, telephone numbers, and email addresses.

For healthcare professionals, Viamedis says they will be sending different notifications about what data was exposed.

Viamedis has informed impacted health organizations, filed a complaint with the public prosecutor, and notified the authorities (CNIL, ANSSI) accordingly. Currently, the company continues to investigate the impact of the cyberattack.

Regarding the scale of the breach, Viamedis has not stated the number of exposed individuals, but it is known that it manages payments for 84 healthcare organizations covering 20 million insured individuals.

The firm's General Director, Christophe Cande, told Agence France-Presse (AFP) that an investigation is underway to determine the scope of the breach.

"To date, we do not have the number of insured individuals impacted; we are still in the process of investigation." - Cande (GD Viamedis)

Cande has also clarified that the cyberattack wasn't ransomware. Instead, he said a successful phishing attack on an employee allowed the threat actor to breach its systems.

One of the organizations working with Viamedis, Malakoff Humanis, has posted a notice on its website confirming the indirect impact of the Viamedis data breach.

The company is also sending data breach notifications to impacted customers to inform them of the cyberattack and disruption of services.

Their message reiterates the information disclosed in the Viamedis notice and assures clients that no banking, medical, or contact details stored on the platforms have been compromised.

Malakoff Humanis says access to user accounts and reimbursement claims remains available. However, the temporary disconnection of the Viamedis platform is expected to affect the provision of certain healthcare services.

Other service providers using Viamedis, including Carte Blanche Partenaires, Itelis, Kalixia, Santéclair, and Audiens, are expected to experience similar situations.

Local media in France reported that Viamedis wasn't the only target of the cyberattack. Reportedly, a company named "Almerys," which is also a payment processor for healthcare organizations, was also targeted.