A major behind-the-scenes player in France’s health-care system says it’s been hacked again, and this time the fallout could touch tens of millions of people.
Almerys, a central contractor that helps process “third-party payment” health claims (think of it as a clearinghouse connecting insurers, pharmacies, doctors’ offices, and patients), confirmed a breach tied to the exposure of 15,452,549 unique French Social Security numbers. A file circulating in criminal marketplaces is described as containing up to 44 million rows of data.
The company shut down part of its coverage/claims platform as investigators and regulators moved in. For consumers, the immediate fear isn’t drained bank accounts, it’s identity fraud and highly targeted scams powered by real personal data.
What leaked: 15.45 million unique IDs, and a dataset that may be far larger
The number driving alarm in France is 15,452,549: the count of unique “NIR” identifiers, France’s equivalent to a Social Security number, reportedly included in a dataset offered for sale in cybercriminal circles.
Researchers and early reports also cite a file reaching 44 million lines, suggesting duplicates, historical records, or multiple entries tied to the same person. Either way, the scale points to a breach that extends well beyond one company’s customer list.
In the U.S., a Social Security number is often the skeleton key for opening credit lines or hijacking accounts. France’s NIR plays a similarly central role in administrative life, meaning it can be used to stitch together identities and make scams far more convincing.
What data was exposed, and what wasn’t
According to details shared in early notifications and public reporting, the compromised information centers on civil-status and insurance relationship data: name, surname, date of birth, birth order/rank, insurance contract number, insurer name, and coverage dates.
Several organizations have emphasized that this specific dataset doesnotappear to include bank details, passwords, or medical records. That limits certain worst-case scenarios, but it doesn’t eliminate risk. Identity theft doesn’t require lab results, just enough accurate personal information to impersonate someone or trick them into handing over the rest.
Why this breach ripples: Almerys sits in the middle of the system
Almerys isn’t a household name, but it’s embedded in the plumbing of French health insurance. It operates as a third-party payment processor for many “mutuelles,” France’s supplemental insurers that cover costs beyond the national system.
That structure is closer to a U.S. claims-processing vendor or benefits clearinghouse than a single insurer. When an intermediary like that gets hit, the blast radius can spread across a network of partners.
Names cited in customer communications and public reports include Alan (a fast-growing digital insurer) and major mutual groups such as MGEN, Harmonie Mutuelle, and AG2R. The key point: this isn’t necessarily “one insurer got hacked.” It’s a shared vendor incident that can affect many insurers at once.
A familiar entry point: a hijacked admin account
Early information points to a classic failure mode in modern breaches: attackers allegedly impersonated or took over a manager-level account on a platform intended for health professionals, then used that privileged access to extract data.
Instead of smashing through a firewall, the intruder appears to have walked through an existing door, one that may have had access to far too much. If a single account can pull millions of records, security experts typically see an architecture problem, not just a “someone clicked a bad link” problem.
The dataset’s reported appearance “for sale” also suggests a money-driven operation, data theft for resale, rather than pure disruption.
Insurers begin notifying customers as service disruptions hit the real world
Because the breach involves a vendor, the messaging can get messy: the contractor, the insurers, and the regulators all have roles, and customers just want to know whether they’re exposed.
Alan has told members its own servers weren’t attacked and that the leak stems from the third-party payment provider. That distinction may matter legally, but for consumers the risk is the same: their personal identifiers may now be in criminal hands.
On the ground, the incident has already created practical headaches. Guidance circulated to some insured customers urged them to wait before submitting new coverage requests, warning of delays and potential processing blocks while the crisis is managed. When a central platform goes dark, reimbursements can slow and pharmacies and clinics may need workarounds.
Why French Social Security numbers supercharge phishing and identity fraud
A stolen identifier paired with a real name and birthdate is rocket fuel for social engineering. The most immediate threat is targeted phishing, texts, emails, or calls that sound legitimate because the scammer can cite accurate details about your insurer and coverage.
A common playbook: a “benefits adviser” or “national health insurance representative” contacts you with urgency, then asks you to “confirm” information, share a one-time code, or click a link to “secure” your account. The goal is to use credible leaked data to get you to hand over the missing pieces.
Even without passwords in the leak, criminals can use the information to attempt account takeovers, file fraudulent administrative requests, or build more complete identity profiles over time, especially if multiple family members appear in linked records.
Regulators notified, platform shut down, and questions about repeat breaches
Almerys reported the incident to French regulators including the CNIL (France’s data protection authority, similar in spirit to a mix of U.S. state privacy enforcers and the FTC’s consumer-protection role) and the ACPR (the banking and insurance supervisory authority, akin to a financial regulator overseeing insurers).
The company also cut off its coverage/claims service to stop further extraction, trading convenience for containment.
The bigger issue: this is not Almerys’ first major incident. The company suffered a significant cyberattack in January 2024, and this new breach comes roughly 27 months after an earlier major event cited in reporting. For the public, and for the insurers relying on the vendor, the obvious question is what changed after the last wake-up call, and whether the health-care payment ecosystem is structurally too interconnected to fail safely.
For now, the practical implication is straightforward: millions of people may need to treat unexpected messages about their health coverage the way Americans treat suspicious IRS calls, assume it could be a trap, and verify through official channels before sharing anything.
Key Takeaways
- The leak attributed to Almerys reportedly involves 15,452,549 unique Social Security numbers.
- The file that was circulated reportedly contains up to 44 million rows, including personal identity details and contract data.
- Based on the information available, bank details, passwords, and health data are reportedly not affected.
- The main risk is identity theft and targeted phishing, made more effective by credible data.
- The CNIL and the ACPR were notified, and the support service was shut down.
Frequently Asked Questions
What data may have been leaked in the Almerys hack?
The information described as compromised includes identity details (last name, first name, date of birth, birth order), the Social Security number (NIR), and contract information (number, organization, coverage dates). Bank details, passwords, contact information, and health data are reportedly not affected, based on information shared by some insurers.
Why is the Social Security number (NIR) so sensitive?
The NIR is used as a core identifier in many processes. Combined with identity details, it makes social engineering, highly targeted phishing, and certain types of administrative fraud easier. Even without a password or bank account number (IBAN), it can make scams much more convincing because the fraudster can prove they have accurate information.
How can I recognize a phishing attempt related to this leak?
Common signs include a text message, email, or phone call claiming to be from Social Security, a supplemental health insurer, or a service provider, using an urgent tone and asking you to act immediately. Best practice is not to click links, never share verification codes, and to contact the organization yourself through an official channel.
What should I do if I think I’m affected or being targeted?
It’s recommended to be extra vigilant with incoming messages, watch for any unsolicited administrative activity, and report fraud attempts via cybermalveillance.gouv.fr. The organizations involved may also notify policyholders individually once the scope is confirmed.
Sources
- Piratage d'Almerys : 15 millions de numéros de Sécurité Sociale dans la nature, ce qu'il faut savoir – Team AAZ – Forum
- Almerys à nouveau piraté : plus de 15 millions de numéros de Sécurité sociale en fuite – Les Numériques
- 15 millions de numéros de sécurité sociale piratés : Almerys est victime d'une nouvelle fuite de données
- 15 millions de numéros de sécurité sociale siphonnés : comment vous protéger après le piratage massif d'Almerys ?
- Almerys au cœur d’une fuite massive de 15 millions de numéros de sécurité sociale
- Cyberattaque d’Almerys : plus de 15 millions de numéros de Sécurité sociale en fuite, mutuelles et assurés sous tension. - mai 29, 2026
- Comment obtenir la prime grand rouleur 2026 : 3 conditions à cocher, simulateur impots.gouv.fr, formulaire en ligne - mai 27, 2026
- Mulhouse, Belchamp, Leapmotor : Stellantis déploie une stratégie électrique XXL face à la concurrence chinoise - mai 27, 2026
