Data on more than 33 million people in France, approximately half the population, was compromised in a cyberattack at the end of January, according to the country’s privacy watchdog.

The Commission Nationale Informatique et Libertés (CNIL) announced this week it had been informed by two health insurance companies, Viamedis and Elmer’s, about the incident.

It warned that the data affects policyholders and their families and includes “marital status, date of birth and social security number, the name of the health insurer as well as the guarantees of the contract taken out.”

Fortunately, unlike the incident affecting Australian health insurance business Medibank, medical histories and treatment data was not compromised.

The CNIL said that the health insurance companies were directly responsible for informing the affected individuals — but people are urged to be cautious over potential phishing attempts intending to defraud them.

The CNIL warned that although policyholders’ contact data wasn’t affected by the breach, “it is possible that the breached data could be combined with other information from previous data breaches” to carry out further crimes.

The data protection agency said that given the scale of the incident it “decided to very quickly carry out investigations in order to determine in particular whether the security measures implemented prior to the incident and in reaction to it were appropriate with regard to the GDPR obligations.”

If the companies are found to have failed to put in place cybersecurity protections needed under the EU’s GDPR (General Data Protection Regulations), the companies could be fined up to €20 million or 4% of their global turnover, whichever is higher.

The ransomware attack on Medibank caused enormous distress in Australia when the criminals began publishing sensitive healthcare claims data for around 480,000 individuals, including information about drug addiction treatments and abortions, for extortion purposes.

Australia, alongside the United Kingdom and United States, publicly identified the alleged culprit last month as Russian hacker Aleksandr Ermakov, and imposed financial sanctions and travel bans on him.