The millions of policyholders affected by data theft on the Almerys third-party health payment platform will be able to be notified individually, Almerys indicated on Friday May 29, without indicating the number of people concerned.
Almerys “sent to all” of its insurer clients “the list” of people affected by the cyberattack, it indicated in a written statement. “This must allow” health insurers to make “direct communication to their affected beneficiaries”. Almerys nevertheless refused to communicate the number of people victims of the theft.
According to the specialized site French Breaches, the first to alert about the cyberattack on Friday May 22, “more than 15 million social security numbers” were stolen by a computer hacker, then put up for sale on the dark web. A health insurance professional spoke on Friday of “twenty million people” potentially affected.
When questioned, the CNIL, official guardian of data protection, confirmed that it had been warned by Almérys and its insurance clients of the theft of data, but gave no information on the number of people concerned.
Lower value on the black market
According to Almerys, the stolen data includes last name, first name, date of birth, social security number, name of the health insurer, the insurer’s contract number as well as the start and end dates of coverage. They do not include banking data, health data, email or postal addresses or telephone numbers, which reduces their value on the data black market.
But according to experts, this data cross-checked with others can be used to set up multiple scams, to the detriment of the policyholders themselves or of Health Insurance or health insurers. Almerys clarified that “the attack is not the same as in 2024”, when the company, as well as its competitor Viamedis, were affected by a first massive data theft.
The CNIL’s investigations into the first flight in 2024 should be concluded “during 2026”, said the CNIL. A number of insurers have already published an information notice on data theft on their customer portal. Alan, Generali, Viasanté/AG2R, CNP Assurances, Aesio, MCEN (notarial mutual), MMJ (justice and security professions) thus warned of the theft, according to a partial statement.
Almedys, Viamedis and Cetip (Cegedim group) are the three heavyweights in the third-party payment management profession in France. They manage colossal quantities of data on a daily basis to enable reimbursement of the additional portion of care.
