Have a million Health Insurance accounts really been hacked?

Stop the rush! The identifiers of 1 million accounts of ameli.fr, the Health Insurance site, would be for sale. This information, identified by the Zataz site (which sells a monitoring service on data leaks) was taken up as such by several media, in particular in the specialized press or by TF1. The problem ? Impossible to verify its veracity.

The only certain element in the case: an individual, youvery well known in his field of digital malevolence” according to Zataz, put on sale a database which according to him contains 1 million duos username/password for the site ameli.fr. In other words, enough to connect to the Ameli account of a million policyholders. These data would be according to the criminal “completely fresh and private”that is to say never seen before, which would justify the price of the file: 6,000 dollars (about 5,705 euros).

Any other conclusion on the case is speculative, for the good reason that no media bought the database – which would otherwise be illegal – and therefore no one knows its contents. The database could actually match the promises of the malefactor, as well as contain irrelevant data, which is common among cybercriminals.

No problem detected by Health Insurance

Contacted by La Tribune, Health Insurance explains that it was aware of this sale, but did not detect any anomaly in its computer systems. Which is abnormal if the leak is real. Lhe data leak mentioned by the article published by the Zataz site does not correspond to any attack detected by the Health Insurance within its information systems. No theft of data allowing policyholders to access their Ameli account has been detected by our systems, which monitor connections to our teleservices to identify abnormal behavior. We are therefore unable to confirm the accuracy of the information reported, which does not correspond to a finding made in our tools, nor to reports from our policyholders.»she wrote.

Translation: the Health Insurance therefore indicates that it thinks that there was no leak, but it cannot venture to affirm it until the contents of the file sold by the cybercriminal. Even if cybersecurity tools can detect unusual behavior – which would probably be the case if a million login credentials were exploited almost simultaneously by criminals – there is a margin of error. And as long as the Health Insurance cannot control the alleged database of identifiers, there is a possibility that the words of the criminal are true.

Faced with these threats, the organization already has several measures in place to reduce the risks. For example, it has set up the sending, each time you connect to the Ameli account, of an email to the email address linked to the account. Thus, if an insured receives a login email but it is not him, he can immediately change his password and report a possible identity theft to the Health Insurance. For its part, the organization will continue to look for unusual behavior. We are continuing and strengthening our actions to supervise the use of all our teleservices to adapt them continuously to the operating methods of cyber-attackers. “, he writes.

Wave of phishing

If the database corresponded to what the criminal claims, it would be necessary for the National Health Insurance Fund (Cnam) to discover its origin. The institution dismisses for the moment the track of a successful cyberattack, which is why Zataz and other media raise the possibility that the data was recovered by phishing. These fraudulent messages claim, for example, a false reimbursement from Health Insurance to extort data from the least careful people.

These phishings come back at regular intervals, and the Health Insurance specifies at The gallery that Phishing attempts have increased in recent times, with malicious people seeking to obtain their login IDs and passwords directly from policyholders ». But to conclude that the alleged data of the file on sale at 6,000 dollars comes from a phishing operation is for the moment only speculation. More generally, nothing allows for the moment to confirm the words of the criminal.

However, like any organization, the National Health Insurance Fund (Cnam) is not impervious to cybersecurity incidents. In March, she made public – as provided for in the General Data Protection Regulation (GDPR) – the hack at least 19 Amelipro accounts » owned by health workers. The criminals had taken advantage of their access to siphon off several types of data, belonging to 510,000 policyholders: surname, first name, date of birth, sex, social security number, declaration of attending physician, allocation of complementary solidarity health or aid State medical service, possible 100% reimbursement. The Cnam had declared the incident to the French data policeman – the Cnil – as provided for in the law, and it had also filed a criminal complaint. No trace of a possible sale of this data has been made public to date.