Data breach at France’s data protection agency CNIL

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

France’s data protection agency CNIL has reported a data breach involving two French service providers — Viamedis and Almerys. We look at the details of the data breach below.

Salient points

  • CNIL reported the data breach involving two service providers on 7 February 2024. You can read more about the notification released by CNIL on this page.
  • The data breach happened at Viamedis and Almerys. The two companies manage third-party payments for the medical insurance industry. Both companies are based in France.
  • The exact timeline of the data breach is not clear.
  • Data of over 33 million French people may have been affected in the data breach. This implies that more than half of France’s population may have been impacted in this data breach.
  • The CNIL has initiated an investigation to determine the cause and audit trail of the incident.

What data was breached?

The CNIL has confirmed that the following data was compromised:

  • Marital status of the insurer
  • Date of birth of the insurer
  • The social security number of the insurer
  • The name of the health insurer
  • The name of the family members of the health insurer

The following personal data was not breached as part of the data breach:

  • Banking information
  • Medical data
  • Health reimbursements
  • Postal details
  • Telephone numbers
  • Contact emails

Current status of the breach

The CNIL has initiated an investigation into the security incident at both service providers. This shall cover the audit trail of the incidents.

In a statement, CNIL said:

“Given the scale of the violation, the president of the CNIL decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the GDPR obligations.”

The CNIL also said it will push for the breached companies to comply with the European Union’s GDPR (General Data Protection Regulation) rules around victim disclosure.

About CNIL

The CNIL, Commission Nationale Informatique & Libertés, is the French Data Protection Agency. Created in 1978, the CNIL is an independent administrative body that operates in accordance with the data protection legislation of the 6th January 1978 as amended on the 6th August 2004.

The CNIL is the Data Protection Authority for France. The authority is established in Paris and is in charge of enforcing GDPR for France, as well as the national law for data protection “Loi Informatique et Libertés“.

The CNIL issues orders and imposes fines within a restricted formation, meaning one president and five others elected members, pursuant to Article 9 of the Law “Informatique et Libertés“. The CNIL’s internal rules indicate that, unless otherwise justified, the pronunciation of fines is public.

More Security Stories

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.