Skip to content
Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan

On 23 May 2026, Alan — a French digital health insurer ("mutuelle") — notified its members that their personal data had been exposed in a cyberattack on Almerys, the third-party tiers-payant (claims) processor that handles reimbursements between insured members, healthcare providers and insurers. Alan's own systems were not breached; the data leaked through its provider.

The intrusion stemmed from the fraudulent compromise of a healthcare professional's account on Almerys' prise-en-charge platform, which is used to authorise audio, optical and hospital care. The threat actor (using the handle "Lagui") advertised a database of roughly 44 million records containing about 15.4 million unique social security numbers, making it one of the largest French health-data leaks in recent years and affecting members across many insurers, not only Alan.

The exposed data for affected Alan members included:

  • First name, last name and date of birth
  • Birth order (rang de naissance)
  • Social security number
  • Insurance contract number and insurer name
  • Coverage start and end dates

Alan stated that payment/banking details, passwords and health (medical) data were not affected. The insurer notified the ACPR (insurance regulator) and the CNIL, took the position that its platform remained intact, and urged members to stay vigilant against phishing attempts that could exploit the leaked identity data. Almerys took its reimbursement platform offline on detecting the attack and filed an initial CNIL notification on 25 May 2026. This was Almerys' second major data incident in roughly two years, following the 2024 Viamedis/Almerys breaches.

Sources

  1. alan.comhttps://alan.com/fr-fr/blog/tout-alan/a/incident-securite-almerys
  2. next.inkhttps://next.ink/238995/alan-alerte-sur-une-fuite-de-donnees-chez-almerys-son-prestataire-de-tiers-payant/
  3. cybernews.comhttps://cybernews.com/security/almerys-french-healthcare-data-leak/
  4. leto.legalhttps://www.leto.legal/news/almerys-fuite-donnees-tiers-payant-mutuelles-mai-2026

Related incidents

Supply chainUnknown

Data leak at Wemind (via Allianz)

On 28 January 2026, a data leak affecting Wemind, the French neo-insurer for freelancers and small businesses, exposed members' contact details — names, postal addresses, email addresses and phone numbers — through its Allianz insurance/back-office channel.

Victim
Wemind
Supply chainContained

Leak at ASAF & AFPS (via Itelis)

Members of insurer ASAF & AFPS had personal data exposed after a breach at Itelis, the optical-care network processing their claims; names, dates of birth, social security numbers, claim records and vision-correction data from 2020-2022 were affected.

Victim
ASAF & AFPS
Supply chainContained

Leak at AG2R la Mondiale (via Itelis)

Disclosed in November 2025, a cyberattack on Itelis — the optical-care third-party network used by insurer AG2R la Mondiale — exposed beneficiaries' names, dates of birth, social security numbers, reimbursement records and vision-correction data for optical coverage handled between 2020 and early 2022.

Victim
AG2R la Mondiale
Supply chainContained

Leak at La Nef

In September 2025, French ethical cooperative bank La Nef notified shareholders that their email addresses were exposed after a cyberattack on third-party voting provider SLIB; only email addresses were affected, with no banking data, IDs or passwords compromised.

Victim
La Nef