Skip to content
Data breachContained

Almerys at the heart of a massive leak of 15 million social security numbers

In May 2026, French third-party health-payment operator Almerys disclosed a breach after a database of more than 44 million records — including 15.4 million unique social security numbers, names, birthdates and insurance details — was offered for sale on a cybercrime forum.

Victim
Almerys
records
15.4M

On 22 May 2026, Almerys — one of France's largest third-party payment ("tiers payant") operators, managing health-insurance claim flows for hundreds of mutual insurers — was revealed to be at the centre of one of the country's biggest health-data leaks after a database was put up for sale on a cybercrime forum.

The attackers gained unauthorized access to Almerys's "prise en charge" (PEC) coverage-issuance portal, the web service used by certain healthcare professionals and facilities to validate patient cover. The leaked file reportedly contains more than 44 million lines and, critically, 15.4 million unique social security numbers (NIR), spanning data accumulated from roughly 2010 to 2026. Samples referenced numerous French mutual insurers, including Viasanté, MMJ and the Viasanté Groupe.

The exposed records included:

  • Full names and dates of birth
  • Social security numbers (NIR)
  • Health-insurance contract numbers and insurer names
  • Complementary-insurance (mutuelle) organization names
  • Coverage start and end dates
  • Potential family-relationship links between insured persons

Almerys confirmed the attack in a 25 May statement, describing the exposure of personal data affecting "all clients." It temporarily shut down the compromised PEC portal — disrupting optical, audiology, dental and some hospital coverage approvals — while stating that its other services (claims management, database updates, flow processing and benefit payments) continued to operate. The company filed an initial CNIL notification within the 72-hour window, lodged a criminal complaint with the public prosecutor and engaged France's cybersecurity agency ANSSI, with a phased resumption of PEC operations planned for the week of 1 June 2026. The combination of social security numbers and health-coverage details poses a serious risk of identity theft, administrative fraud and targeted phishing. This was the second major incident to hit Almerys, following the early-2024 Viamedis/Almerys leak that affected tens of millions of French residents.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/almerys-au-coeur-dune-fuite-massive-de-15-millions-de-numeros-de-securite-sociale/
  2. alan.comhttps://alan.com/fr-fr/blog/tout-alan/a/incident-securite-almerys
  3. acuite.frhttps://www.acuite.fr/actualites/profession/secuocam/cyberattaque-chez-almerys-le-tiers-payant-cible-a329053

Related incidents