New tile for Social Security policyholders. Health Insurance warned Thursday March 17 that she had been the subject ofa breach of its information systems after which the personal and medical data of at least 510,000 affiliates were compromised.
At the end of last week, the Health Insurance detected that unauthorized people managed to connect to amelipro accounts, reserved for health professionals. Attackers were able to log into at least 19 healthcare professional accounts whose email addresses had been compromised. They then used an automated computer program to “chain-query” the data those accounts had access to.
At this stage, the Health Insurance indicates that the personal information of 510,000 policyholders was thus exposed. These data contain elements relating to the identity of persons such as surname, first name, date of birth and gender, but also, more problematically, the social security number.
The attackers also had access to information relating to the rights of the insured, such as statement from a treating physician, the allocation of complementary health or state medical aid and possible 100% coverage. On the other hand, contact details (email, address, telephone) and bank details of patients are not concerned, as is information relating to pathologies and care.
Questioned by RTL, Health Insurance said “not knowing in the state if the attackers just consulted the data or if they recorded them but the probability is very high that they copied them”.
A risk of phishing and identity theft for victims
Investigations are continuing to determine the extent of this data leak. The incident was notified to the CNIL on March 16 and a criminal complaint was filed the following day. Health Insurance will inform individually by email or by post all the people whose information has been exposed. The latter will be made aware of the increased risk of phishing to which they could be subjected. “Communication will be carried out, in the days to come, on the basis of the contact details we have for the people concerned. Sending by email will be favored to promote rapid information for people”, indicates Health Insurance.
In view of the information in the possession of the hackers, the victims face several threats. Above all, they run the risk of being the object of highly targeted phishing attempts, attackers can use the information collected to impersonate an analysis laboratory, the attending physician or a hospital visited in the past to trick victims into providing other personal data or banking information. In possession of a social security number, an identity and a date of birth, cybercriminals can also falsify documents to generate new vital cards or contract consumer loans.
Regarding the origin of the leak, Health Insurance explains that the registration of health professionals on the AmeliPro platform is subject to checks on the identity of users. Two access methods are proposed depending on the degree of sensitivity of the steps to be taken. Either by entering a username and password, for the basic procedures, or by authenticating with a CPS card, an electronic professional identity card, for the most sensitive procedures. The organization tells RTL that it will “work on strengthening username/password authentication with a second factor“.
This new massive leak of health data comes six months after the theft from the APHP of the data of one and a half million people screened for Covid-19 in mid-2020. At the beginning of 2021, a health data file concerning just over 500,000 French citizens had already been freely distributed on the Internet after a computer breach by a medical laboratory provider.
