A security breach linked to ameli.fr, the portal of the National Health Insurance Fund (CNAM): this is what the specialized information site discovered NextInpact, informed by one of its readers.
Any insured person could use it, while letters received from Medicare are also stored in PDF format on the personal space of the Medicare website. It was enough to change the number of this PDF file in the URL bar of his browser (where the addresses of online sites and documents appear), to access PDF letters sent to other policyholders, at random.
An “immediately fixed” flaw
As specified NextInpact Wednesday, December 18, “It was not possible to target a specific individual”. But the news site was able to access the names, first names, addresses, and social security numbers of others in seconds. And to their letters, which could, he writes, contain requests for documents, information, certificates of treatment or refusal of care in such or such place, etc.
“This identified anomaly was immediately corrected and the security of mail on the Ameli account is now fully guaranteed”, says Ameli at World, who adds that he has not seen any exploitation of this flaw – except for that of NextInpact and from its source.
The organization also ensures that “The administrative nature of the information contained in these documents greatly limited its impact, since the letters sent by the primary funds to the insured did not contain personal medical information”. And explains that “The anomaly noted could not have been exploited for malicious purposes, because there was no way to seek specific information on a given person, any more than to target a type of room”.