Skip to content
Data breachContained

Leak at Almerys, Viamedis

In early February 2024, French third-party health-payment operators Viamedis and Almerys disclosed breaches exposing data on about 33 million people — names, dates of birth, social security numbers and health-insurer details — in one of France's largest ever data breaches.

Victim
Almerys, Viamedis
records
33.0M

On 6 February 2024, Viamedis and Almerys — two French operators that manage tiers payant (third-party payment) for supplementary health insurers — disclosed data breaches that together exposed information on roughly 33 million people, around half of the French population. France's data protection authority, the CNIL, confirmed the scale, making it one of the largest data breaches in the country's history.

The attackers did not break the companies' core systems directly. Instead they targeted the accounts of healthcare professionals that have legitimate access to the Viamedis and Almerys portals, most likely via phishing or by reusing credentials stolen in earlier breaches. Viamedis detected the intrusion in late January 2024 and Almerys reported a similar compromise of professional accounts on 5 February.

The exposed data covered policyholders and their families and included:

  • First and last name
  • Date of birth
  • Marital and civil status
  • Social security number
  • Name of the health insurer
  • Type of contract and guarantees open to third-party payment

Both operators stated that no banking details, email or postal addresses, or telephone numbers were exposed, as these are not stored on the affected systems.

The companies cut off the compromised access and notified affected insurers, who in turn warned their members. The CNIL opened an investigation to assess the security measures in place and whether the operators met their GDPR obligations, while warning of an elevated risk of phishing and identity fraud given the breadth of the leaked identity and insurance data.

Sources

  1. cnil.frhttps://www.cnil.fr/fr/violation-de-donnees-de-deux-operateurs-de-tiers-payant-la-cnil-ouvre-une-enquete-et-rappelle-aux
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/data-breaches-at-viamedis-and-almerys-impact-33-million-in-france/
  3. infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/france-33-million-social-security/
  4. euronews.comhttps://www.euronews.com/next/2024/02/08/data-of-33-million-people-in-france-stolen-in-its-largest-ever-cyberattack-this-is-what-we

Related incidents

Data breachContained

Leak at Mediboard

On 19 Nov 2024 a threat actor put the records of ~758,912 patients of French healthcare provider Aléo Santé — extracted via a compromised privileged account on the Mediboard patient-record platform — up for sale on BreachForums, exposing identities, contact details and sensitive medical data.

Victim
Mediboard
Records
758.9K