France’s data protection agency CNIL is investigating massive data breaches at two companies that manage third-party healthcare payments, warning that more than 33 million people may be affected.
A notice from CNIL said two French service providers — Viamedis and Almerys — were targeted in a cyberattack that puts almost half of the French population at risk.
The agency said the two companies manage third-party payments for the medical insurance industry and warned that the exposed data includes marital status, date of birth and social security number, the name of the health insurer and family members.
Data such as banking information, medical data, health reimbursements, postal details, telephone numbers or even emails, were not affected.
The CNIL advisory said it will push for the breached companies to comply with the European Union’s GDPR (General Data Protection Regulation) rules around victim disclosure.
Although contact data is not affected by the breach, the CNIL notes that it is possibleto combine data from different incidents in cyberattacks against individuals.
“Given the scale of the violation, the president of the CNIL decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the GDPR obligations,” the CNIL said.
Related: GDPR Fines Surged Sevenfold to $1.25 Billion in 2021
Related: France Fines Yahoo 10 Mn Euros Over Cookie Abuses
Related: France, UK Seek Greater Regulation of Commercial Spyware
Related: France Punishes Clearview AI For Failing To Pay Fine