)
French regulators recently warned that a January 2024 cyberattack on two major healthcare sector companies caused over 33 million people’s data to be compromised. The data includes sensitive personal information, which threat actors could exploit in phishing campaigns and financial fraud schemes. Cybersixgill observed demand for the stolen data on the underground, in addition to threat actors disseminating similar content from previous breaches.
The Headline
On February 7, 2024, France’s National Commission for Information Technology and Liberties (CNIL) issued a notice that two major healthcare payment service providers, Viamedis[1] and Almerys,[2] suffered cyberattacks that affected the data of more than 33 million people. CNIL noted that the attack took place at the end of January 2024, with the compromised data relating to policyholders and their family members. The data includes marital status, dates of birth, national identity numbers, and health insurance carrier names, among other information.
While the CNIL notice indicated that the breach did not affect banking information, medical data, physical addresses, telephone numbers, or emails, threat actors could use the data that was compromised for a variety of malicious activities. These include phishing attacks, identity theft, and financial fraud. Threat actors can also combine this type of breached data with other information from previous incidents to commit various forms of fraud.
Accordingly, CNIL recommended that affected individuals remain vigilant with regard to financial requests related to health cost reimbursement, urging people to monitor account activity. The incident is particularly alarming in light of the scope of the breach, which affects close to half of France’s total population of 67.5 million people. CNIL noted that the incident implicates various obligations under the European Union’s (EU) General Data Protection Regulation (GDPR).
The healthcare sector is one of the top industries targeted by cybercriminals, who remain attracted to companies such as Viamedis and Almerys because of the vast amounts of private data they process and store. This information can be more attractive than stolen credit cards for certain cybercriminals due to the enduring financial value of patient health data and records. Among the threats faced by healthcare industry entities are ransomware attacks, data theft, initial access sales, and sector-specific risks that potentially threaten lives and endanger public health.
Healthcare industry organizations like Viamedis and Almerys rely on the internet and network-connected systems to store records and transmit policy-holder data, which means their attack surface is significant. Indeed, entities in the healthcare industry remain primary targets for threat actors, with breaches on entities in this sector costing on average over $10 million per victim. While attacks in the EU implicate GDPR issues, attacks in the U.S that reach protected health information (PHI) can result in liability under the Health Insurance Portability and Accountability Act (HIPAA).[3] Victim entities may also be required to disclose cyber incidents in Securities and Exchange Commission (SEC) 8-K[4] filings.
Behind the headline
Cybersixgill detected demand on the underground for the data stolen from Viamedis and Almerys in January 2024. This includes the February 8, 2024 message below (Figure 1) posted by an active member of a popular cybercrime forum. In general, this threat actor is interested in stolen personal data from social media platforms and recently posted a leak of data related to a U.S.-based domain registrar and web hosting company.
In the post below, the threat actor requested the stolen Viamedis and Almerys data one day after CNIL issued its notice related to the cyber attack. Prior to that notice, news of the attack began circulating in the French press. As of February 11, 2024, there were no public replies to the post below.
While it is possible that a threat actor with access to the data reached out to the poster privately, it is also possible that those with access to the data are not advertising it yet. This latter conclusion is supported by the fact that no established ransomware group or data theft operation had taken credit for the Viamedis and Almerys attacks as of February 11, 2024. This may mean that the attackers are attempting to negotiate a ransom payment from the victims, or that individuals who possess the stolen data are attempting to sell it privately.
Figure 1: A threat actor seeks the Viamedis and Almerys data on a cybercrime forum
In addition to the post above seeking the Viamedis and Almerys data, Cybersixgill has detected sustained interest in French healthcare sector data on the same forum. This includes the post below advertising a database of medical records connected to the Covid 19 epidemic. The data allegedly contains close to 500,000 medical records and the threat actor posted a significant number of samples. These are intended to prove that the database contains the information described in the post, including names, phone numbers, addresses, and marital status.
While the original ad was posted on June 30, 2023, it continued to receive positive responses as of February 10, 2024, most of which expressed gratitude for the leaked data, with some requesting advice on how to exploit it. The data continues to circulate, despite being posted in June, demonstrating how victims suffer the consequences of data breaches for extended periods after initial incidents.
Figure 2: A threat actor advertises a database of French medical records on a cybercrime forum
Figure 3: A forum member thanks the poster for the stolen data
Takeaways
Threat actors are just beginning to take notice of the Viamedis and Almerys breach, which will likely attract significant attention on the underground. Indeed, threat actors will likely continue to seek the data on cybercrime forums, in addition to Telegram channels and other platforms. Based on the type of data that was stolen, threat actors could use the information for a variety of malicious purposes.
In view of the demand for sensitive information on underground markets and forums, and the threat that related phishing attacks and financial fraud pose, all organizations should instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They
should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites. Finally, organizations should instruct personnel to exercise additional caution when using multi-factor authentication (MFA) codes for corporate services.
[1] Viamedis manages third-party payer networks in the French health insurance market, working with insurance companies and healthcare providers during the reimbursement process for medical expenses. Viamedis offers network management services and claims processing, among other services
[2] Almerys provides software and services for health insurance companies and healthcare professionals, including platforms for managing healthcare reimbursement, health insurance claims, electronic health records, and other administrative tasks
[3] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that protects the privacy and security of individuals' healthcare information, known as Protected Health Information (PHI). HIPAA’s Privacy Rule (45 C.F.R. § 160.103) protects all PHI “held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” PHI includes “many common identifiers,” such as name, address, birth date, and social security number, and is defined by the Privacy Rule as “information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”
[4] Publicly traded companies in the U.S. are required to make 8-K filings to report significant events or corporate changes deemed material to investors.
)
)
)
)