Leak at APRS (via Itelis)
APRS members were exposed in the November 2025 breach of Itelis, AXA's third-party optical-care platform, after an attacker posed as a partner optician; leaked data included names, dates of birth, social security numbers, optical reimbursement records and vision-correction details.
- Victim
- APRS
On 24 November 2025, APRS — a French health insurer (mutuelle/OCAM) — informed members that their personal data had been exposed through a breach at Itelis, the third-party optical and health-care provider network operated for AXA that manages optical reimbursement claims. APRS was one of several insurers and mutuelles caught up in the incident, alongside AXA, Malakoff Humanis and AG2R.
The breach did not stem from APRS's own systems. Attackers gained unauthorised access to the Itelis reimbursement platform by impersonating a legitimate partner optician, using compromised credentials rather than directly breaching a database. The exposed records covered optical-care claims processed roughly between 2020 and early 2022.
Data reported as exposed included:
- Name and first name
- Date of birth
- Social security number
- Claim/dossier number and optical reimbursement records
- Vision-correction data
- Phone number (in some cases)
Itelis stated that banking details, postal addresses, email addresses, usernames and passwords were not affected. The exact number of impacted individuals was not disclosed by Itelis or APRS. Itelis took its platform offline, notified the CNIL and filed a criminal complaint, while AXA warned affected customers to be alert to phishing attempts that could exploit the leaked data.
Sources
- frenchbreaches.comhttps://frenchbreaches.com/alertes/itelis-impactant-aprs-axa-malakoff-humanis-ag2r--b73e8c179406
- next.inkhttps://next.ink/brief_article/fuite-de-donnees-personnelles-chez-itelis-axa-nom-dossier-correction-numero-secu/
- stroople.comhttps://www.stroople.com/data-breach-observatory/data-breach-itelis-november-2025/
- acuite.frhttps://www.acuite.fr/actualite/ocam/323834/la-plateforme-de-soins-itelis-victime-dune-cyberattaque-concernant-des-donnees