April International, providers of mutuelle and private health insurance in France have been the victims of a cyber attack, and customer data has been compromised. Don’t have much detail yet,but we have just received an email from them to that effect. Does @fabien know any details ?
I hope that this this is not related to the current thread entitled ‘April comfort my travel PHI’…
Not for the first time either, seems they still can’t get it right:
Hi everyone, we don’t much at this stage except that personal data are safe as per the official statement which basically said that they had no bank details, no medical data, no claims, no physical address, phone numbers or emails. Original text in French => aucune information bancaire, ni de données médicales, ni de remboursements santé, ni de coordonnées postales, téléphonique ou email ne sont stockés sur cette plateforme
2 Likes
On the news this morning that two large mutuelle/tiers payents companies have been hacked, so presumably April (Almeris) and another also unnamed one.
The other one is Viamedis.
As the compromise is stated to have occurred through the use of healthcare professional accounts, one might speculate that credential stuffing was used to gain access to the healthcare professional interface. I don’t know how these healthcare professionals gain access to their side of tiers payant portal, but one would hope that it isn’t just through the use of an email address / password combination.
I hate to say it, but some of the professional facing web login systems in use are woefully lacking in contemporary best practice security. From my own experience, the web portal login for the INPI (French patent & trademark office) is based solely on a combination of email address and password. No 2FA in sight, although there is a forced reset of the password every X months, and additionally some kind of fail2ban script running, to limit the number of successive login attempts with an incorrect password. Better than nothing, but “not quite Carling” ?
1 Like