French health-payments vendor Almerys hit by cyberattack, exposing Social Security-style IDs

A cyberattack on Almerys, a key behind-the-scenes player in France’s health insurance payment system, may have exposed sensitive personal data, including French Social Security numbers, triggering fraud warnings and slowing approvals for dental work, eyeglasses, hearing aids, and some hospital care.

Almerys said an intruder gained unauthorized access to a specific website used to issue “prior authorizations” for coverage. The company shut that portal down to contain the breach, but it has not said how many people may be affected. French prosecutors in Paris have opened an investigation.

What Almerys does, and why this breach matters

Almerys helps run “tiers payant,” a common French system that lets patients avoid paying upfront while insurers and supplemental plans settle the bill directly with providers. Think of it as a critical piece of the plumbing that keeps routine health transactions moving, especially when a provider needs an insurer’s green light before delivering an expensive service.

The company insists the incident is limited to the prior-authorization site, not all of its third-party payment services. But even one broken link can jam the system when approvals are required before care moves forward.

The portal was shut down, and clinics are scrambling

Almerys said it detected unauthorized access to its prior-authorization platform, often referred to in France as the “PEC” site, and took immediate steps to identify and neutralize the suspicious access.

Then came the operational gut punch: the company closed the portal. Almerys says core third-party payment functions are still running, but providers who rely on quick digital approvals are being pushed into slower, manual workarounds, phone calls, emails, follow-ups, and patients are left waiting.

On the ground, that can mean delayed appointments, postponed fittings, or patients being asked to front costs temporarily until coverage is confirmed.

What data may have been exposed

Almerys says the potentially exposed information includes identity and insurance-contract details: last name, first name, date of birth, and France’s Social Security number, along with the name of the health insurer, contract number, and coverage start and end dates.

The company says the breach didnotinvolve bank information, passwords, postal addresses, phone numbers, email addresses, medical data, or records of care reimbursements.

That limits the risk of immediate direct theft from bank accounts. But it doesn’t eliminate danger. A scammer armed with accurate insurer and policy details can craft highly convincing calls or messages designed to trick people into handing over additional information, IDs, bank routing details, or updated contact info.

Insurer Alan warns of phishing and social engineering

Alan, a fast-growing French digital health insurer, urged members to be on alert for fraudulent texts, calls, and emails in the wake of the attack. Even if contact details weren’t part of the exposed dataset, scammers often blast messages widely, betting they’ll reach the right targets.

Alan also said it has filed a complaint and reported the incident to French regulators, including CNIL (France’s national data protection authority, similar in role to a privacy regulator) and ACPR (the agency that oversees banks and insurance companies).

The practical advice is blunt: don’t click links from unexpected messages, verify callers through official channels, and don’t provide sensitive information to someone who contacts you first, especially if they ask you to “confirm” an ID number they should already have.

Care approvals for dental, vision, and hearing services are being delayed

The shutdown is hitting prior-authorization requests in vision care, dentistry, audiology, and certain hospital coverage approvals, areas where insurers often require confirmation before a provider delivers high-cost equipment or procedures.

Without the automated system, providers may have to print forms, send documentation manually, and wait for responses. Patients may experience the disruption as a sudden reversal of the usual promise: you won’t have to pay at the counter.

The episode also highlights a familiar vulnerability in modern health systems: when many insurers and providers depend on a single vendor for a critical digital function, one breach can ripple quickly across clinics and patients.

Paris prosecutors open an investigation; the scale remains unknown

The Paris prosecutor’s office has opened an investigation, a standard move in France when sensitive personal identifiers may have been compromised. Investigators will aim to determine who accessed the system, whether data was actually exfiltrated, and what laws may have been broken.

The biggest unanswered question is still basic: how many people were affected. Until Almerys or investigators provide an estimate, insurers, providers, and patients are left guessing whether the breach was narrow, or much broader.

Even if no medical records were taken, identity data tied to an insurer can fuel long-running fraud attempts. For patients, the safest move is to treat unexpected outreach about coverage as suspicious and verify everything through official insurer channels. For providers, the challenge is keeping care moving without creating new security risks through improvised back-and-forth paperwork.