French health-payments vendor Almerys hit by cyberattack, exposing Social Security-style IDs

La Revue TechEnglishFrench health-payments vendor Almerys hit by cyberattack, exposing Social Security-style IDs
4.9/5 - (8 votes)

A cyberattack on Almerys, a key behind-the-scenes player in France’s health insurance payment system, may have exposed sensitive personal data, including French Social Security numbers, triggering fraud warnings and slowing approvals for dental work, eyeglasses, hearing aids, and some hospital care.

Almerys said an intruder gained unauthorized access to a specific website used to issue “prior authorizations” for coverage. The company shut that portal down to contain the breach, but it has not said how many people may be affected. French prosecutors in Paris have opened an investigation.

What Almerys does, and why this breach matters

Almerys helps run “tiers payant,” a common French system that lets patients avoid paying upfront while insurers and supplemental plans settle the bill directly with providers. Think of it as a critical piece of the plumbing that keeps routine health transactions moving, especially when a provider needs an insurer’s green light before delivering an expensive service.

The company insists the incident is limited to the prior-authorization site, not all of its third-party payment services. But even one broken link can jam the system when approvals are required before care moves forward.

The portal was shut down, and clinics are scrambling

Almerys said it detected unauthorized access to its prior-authorization platform, often referred to in France as the “PEC” site, and took immediate steps to identify and neutralize the suspicious access.

Lire aussi :  EV charging in France in 2026 can swing by nearly 500% for the same stop—here’s what drives the gap

Then came the operational gut punch: the company closed the portal. Almerys says core third-party payment functions are still running, but providers who rely on quick digital approvals are being pushed into slower, manual workarounds, phone calls, emails, follow-ups, and patients are left waiting.

On the ground, that can mean delayed appointments, postponed fittings, or patients being asked to front costs temporarily until coverage is confirmed.

What data may have been exposed

Almerys says the potentially exposed information includes identity and insurance-contract details: last name, first name, date of birth, and France’s Social Security number, along with the name of the health insurer, contract number, and coverage start and end dates.

The company says the breach didnotinvolve bank information, passwords, postal addresses, phone numbers, email addresses, medical data, or records of care reimbursements.

That limits the risk of immediate direct theft from bank accounts. But it doesn’t eliminate danger. A scammer armed with accurate insurer and policy details can craft highly convincing calls or messages designed to trick people into handing over additional information, IDs, bank routing details, or updated contact info.

Insurer Alan warns of phishing and social engineering

Alan, a fast-growing French digital health insurer, urged members to be on alert for fraudulent texts, calls, and emails in the wake of the attack. Even if contact details weren’t part of the exposed dataset, scammers often blast messages widely, betting they’ll reach the right targets.

Alan also said it has filed a complaint and reported the incident to French regulators, including CNIL (France’s national data protection authority, similar in role to a privacy regulator) and ACPR (the agency that oversees banks and insurance companies).

The practical advice is blunt: don’t click links from unexpected messages, verify callers through official channels, and don’t provide sensitive information to someone who contacts you first, especially if they ask you to “confirm” an ID number they should already have.

Lire aussi :  France Wants Every 10th Grader to Study AI by 2027, Top Computer Scientists Say the Plan Is Too Thin

Care approvals for dental, vision, and hearing services are being delayed

The shutdown is hitting prior-authorization requests in vision care, dentistry, audiology, and certain hospital coverage approvals, areas where insurers often require confirmation before a provider delivers high-cost equipment or procedures.

Without the automated system, providers may have to print forms, send documentation manually, and wait for responses. Patients may experience the disruption as a sudden reversal of the usual promise: you won’t have to pay at the counter.

The episode also highlights a familiar vulnerability in modern health systems: when many insurers and providers depend on a single vendor for a critical digital function, one breach can ripple quickly across clinics and patients.

Paris prosecutors open an investigation; the scale remains unknown

The Paris prosecutor’s office has opened an investigation, a standard move in France when sensitive personal identifiers may have been compromised. Investigators will aim to determine who accessed the system, whether data was actually exfiltrated, and what laws may have been broken.

The biggest unanswered question is still basic: how many people were affected. Until Almerys or investigators provide an estimate, insurers, providers, and patients are left guessing whether the breach was narrow, or much broader.

Even if no medical records were taken, identity data tied to an insurer can fuel long-running fraud attempts. For patients, the safest move is to treat unexpected outreach about coverage as suspicious and verify everything through official insurer channels. For providers, the challenge is keeping care moving without creating new security risks through improvised back-and-forth paperwork.

Key Takeaways

  • Almerys confirms unauthorized access to the PEC site and shuts down the service.
  • The exposed data includes identity information and Social Security numbers, but not banking or medical data.
  • Optical, dental, audiology, and some hospital coverage are experiencing delays.
  • Alan urges its policyholders to remain vigilant and is filing a complaint and reports with the CNIL and the ACPR.
  • The Paris prosecutor's office has opened an investigation; the number of people affected has not been disclosed.
Lire aussi :  5 reasons companies are betting on HR software in 2026, and why it’s reshaping the workplace

Frequently Asked Questions

What data may have been exposed in the Almerys cyberattack?

The information mentioned includes last name, first name, date of birth, Social Security number, insurer name, policy number, and coverage dates. Bank details, passwords, contact information, and health data are reportedly not affected, based on the information provided.

Does third-party payment still work despite the PEC website shutdown?

Almerys says essential third-party payment services are still being provided. However, the shutdown of the prior-authorization issuance site (PEC) may disrupt certain approvals, especially for vision, dental, hearing, and some hospital authorizations.

Why are insurers like Alan urging vigilance after the incident?

After an identity data leak, the main risk is fraud through social engineering—texts, calls, or fake advisors trying to obtain additional information. Alan therefore urged its members to be extra cautious in the weeks following the attack.

Which authorities are involved in this case?

According to Alan, a criminal complaint has been filed and reports are being made to the CNIL and the ACPR. An investigation has also been opened by the Paris Public Prosecutor’s Office.

Entreprises technologies
Entreprises technologies
Je suis rédacteur web. J'ai 44 ans et j'ai une passion pour l'écriture et la création de contenus. Sur mon site La Revue Tech , vous trouverez des articles, des guides et des conseils sur les nouvelles technologies pour améliorer votre présence en ligne grâce à une communication efficace et percutante. Bienvenue dans mon le monde des innovations et découvertes technologiques.
SEO 2023

Tendances

indicateur E reputation
Plus d'informations sur ce sujet
Autres sujet

City Buzz or Nature Retreat? The Team-Building Choice That Actually Changes How Coworkers Connect

City offsite or nature retreat? Each shapes team chemistry differently—here’s how to pick the setting that builds real trust, not just a busy agenda.

In 2026, Brands Are All-In on Vertical Video, Because TikTok-Style Clips Now Run Social Media

Vertical short videos dominate 2026 social feeds. Here’s why brands are betting on 9:16 clips, clipping strategies, and authentic UGC to win attention.

SpaceX Just Put 10,000 Starlink Satellites in Orbit, And the Sky Is Getting Crowded

SpaceX now has 10,000+ Starlink satellites operating at once, an unmatched feat that’s also fueling alarms about crowded orbits and ruined astronomy images.

Why Most B2B AI Projects Stall, and the Playbook That Gets Real Results Fast

Most B2B AI projects fail fast from bad use cases and weak team setup. Here’s how to pick the right first win, and a vendor who can ship it.