33 million people: Data of almost half of France’s population stolen in health sector breach
February 2024 by Ebin Sandler, Threat Analyst, Cybersixgill
French regulators recently warned that a January 2024 cyber-attack on two major healthcare sector companies caused over 33 million people’s data to be compromised. The data includes sensitive personal information, which threat actors could exploit in phishing campaigns and financial fraud schemes. Cybersixgill observed demand for the stolen data on the underground, in addition to threat actors disseminating similar content from previous breaches.
On February 7, 2024, France’s National Commission for Information Technology and Liberties (CNIL) issued a notice that two major healthcare payment service providers, Viamedis and Almerys, suffered cyber-attacks that affected the data of more than 33 million people. CNIL noted that the attack took place at the end of January 2024, with the compromised data relating to policyholders and their family members.
The data includes marital status, dates of birth, national identity numbers, and health insurance carrier names, among other information. While the CNIL notice indicated that the breach did not affect banking information, medical data, physical addresses, telephone numbers, or emails, threat actors could use the data that was compromised for a variety of malicious activities. These include phishing attacks, identity theft, and financial fraud.
Threat actors can also combine this type of breached data with other information from previous incidents to commit various forms of fraud. Accordingly, CNIL recommended that affected individuals remain vigilant with regard to financial requests related to health cost reimbursement, urging people to monitor account activity. The incident is particularly alarming in light of the scope of the breach, which affects close to half of France’s total population of 67.5 million people. CNIL noted that the incident implicates various obligations under the European Union’s (EU) General Data Protection Regulation (GDPR).
The healthcare sector is one of the top industries targeted by cybercriminals, who remain attracted to companies such as Viamedis and Almerys because of the vast amounts of private data they process and store. This information can be more attractive than stolen credit cards for certain cybercriminals due to the enduring financial value of patient health data and records. Among the threats faced by healthcare industry entities are ransomware attacks, data theft, initial access sales, and sector-specific risks that potentially threaten lives and endanger public health.
Healthcare industry organizations like Viamedis and Almerys rely on the internet and network-connected systems to store records and transmit policy-holder data, which means their attack surface is significant. Indeed, entities in the healthcare industry remain primary targets for threat actors, with breaches on entities in this sector costing on average over $10 million per victim. While attacks in the EU implicate GDPR issues, attacks in the U.S that reach protected health information (PHI) can result in liability under the Health Insurance Portability and Accountability Act (HIPAA). Victim entities may also be required to disclose cyber incidents in3 Securities and Exchange Commission (SEC) 8-K filings.
Cybersixgill detected demand on the underground for the data stolen from Viamedis and Almerys in January 2024. This includes a February 8, 2024, message posted by an active member of a popular cybercrime forum. In general, the threat actor is interested in stolen personal data from social media platforms and recently posted a leak of data related to a U.S.-based domain registrar and web hosting company.
In one instance, a threat actor requested the stolen Viamedis and Almerys data one day after CNIL issued its notice related to the cyber-attack. Prior to that notice, news of the attack began circulating in the French press. As of February 11, 2024, there were no public replies to the post below.
While it is possible that a threat actor with access to the data reached out to the poster privately, it is also possible that those with access to the data are not advertising it yet. This latter conclusion is supported by the fact that no established ransomware group or data theft operation had taken credit for the Viamedis and Almerys attacks as of February 11, 2024. This may mean that the attackers are attempting to negotiate a ransom payment from the victims, or that individuals who possess the stolen data are attempting to sell it privately.
In addition to the Viamedis and Almerys data, Cybersixgill has detected sustained interest in French healthcare sector data on the same forum. This includes a post advertising a database of medical records connected to the Covid 19 epidemic. The data allegedly contains close to 500,000 medical records and the threat actor posted a significant number of samples. These are intended to prove that the database contains the information described in the post, including names, phone numbers, addresses, and marital status. While the original ad was posted on June 30, 2023, it continued to receive positive responses as of February 10, 2024, most of which expressed gratitude for the leaked data, with some requesting advice on how to exploit it. The data continues to circulate, despite being posted in June, demonstrating how victims suffer the consequences of data breaches for extended periods after initial incidents.
Threat actors are just beginning to take notice of the Viamedis and Almerys breach, which will likely attract significant attention on the underground. Indeed, threat actors will likely continue to seek the data on cybercrime forums, in addition to Telegram channels and other platforms. Based on the type of data that was stolen, threat actors could use the information for a variety of malicious purposes. In view of the demand for sensitive information on underground markets and forums, and the threat that related phishing attacks and financial fraud pose, all organizations should instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites. Finally, organizations should instruct personnel to exercise additional caution when using multi-factor authentication (MFA) codes for corporate services.