The third-party payment specialist Almerys confirmed on Monday May 25 that it had been the victim of a cyberattack resulting in “the exposure of personal data” of beneficiaries, without however quantifying their number.
According to a press release, “this attack, concerning all customers, allowed unauthorized access to the care delivery site (PEC)” used by certain professionals and health establishments. Almerys indicates that it has “taken immediate measures to identify and neutralize the accesses concerned”.
Thus “the PEC site has been closed”, which impacts requests for support in particular in optics, audiology, dental as well as certain hospital care. “Relevant stakeholders were immediately informed,” the statement added.
“Potentially exposed” personal data includes first and last name, date of birth, social security number, name of health insurer, insurer contract number as well as start and end dates of coverage, according to the company.
Several mutual insurance companies affected
On the other hand, “banking information, health data, healthcare reimbursements, postal details, telephone numbers, email addresses and passwords are not affected by this malicious act,” adds the press release.
Almerys specifies that its other services “remain operational” and that the activities “of management, database updating, flow processing and payment of health benefits are operating normally”. In fact, the situation “is limited to the care delivery site concerned” and “essential third-party payment services continue to be provided,” affirms the company.
Furthermore, Almerys indicates that it is working in a “transitional phase” allowing it to offer “workaround solutions” to the professionals and establishments concerned. On Saturday, health insurer Alan urged its members to be vigilant after this hack.
The company, already the victim of massive data theft during a cyberattack in early 2024, indicates that it has filed a complaint with the public prosecutor and notified the incident to the CNIL (National Commission for Information Technology and Liberties). A declaration was also made to the national information systems security agency (Anssi).
The Paris prosecutor’s office, for its part, indicated that its anti-cybercrime section had referred an investigation to the specialized brigade of the police headquarters.
