Skip to content
Supply chainOngoing

Leak at Malakoff Humanis (via Itelis)

In November 2025, optical-care platform Itelis was breached via the impersonation of a partner optician, exposing health and identity data of Malakoff Humanis (and AXA) members from optical reimbursement claims processed between 2020 and 2022.

Victim
Malakoff Humanis

On 24 November 2025, Malakoff Humanis — a major French health and pension insurer (mutuelle/prévoyance) — disclosed that member data had been exposed through a breach of Itelis, the optical-care network it uses to manage and reimburse vision claims. The incident was not a direct compromise of Malakoff Humanis systems but of its third-party processor, affecting several insurers that rely on Itelis, including AXA/APRS and AG2R.

The attacker gained access by impersonating a legitimate partner optician, using the trusted partner interface to query and exfiltrate optical reimbursement records rather than breaching the platform directly. Banking details, login credentials, postal addresses and email addresses were reportedly not compromised, which points to fraudulent use of partner access rather than a full database intrusion.

The exposed records related to optical claims processed roughly between 2020 and early 2022 and included:

  • Full names and dates of birth
  • Social security (national insurance) numbers
  • Claim/dossier reference numbers
  • Optical reimbursement details and visual-correction (prescription) data
  • Possibly phone numbers

Itelis filed a complaint with the public prosecutor and notified the French data protection authority (CNIL). Because the leaked data combines health identifiers with personal details, the main risk is targeted phishing and social-engineering — AXA, for instance, warned members to be wary of unsolicited requests to modify their contracts. The exact number of affected Malakoff Humanis members was not disclosed, and the investigation remained ongoing.

Sources

  1. stroople.comhttps://www.stroople.com/data-breach-observatory/data-breach-itelis-november-2025/
  2. next.inkhttps://next.ink/brief_article/fuite-de-donnees-personnelles-chez-itelis-axa-nom-dossier-correction-numero-secu/
  3. frenchbreaches.comhttps://frenchbreaches.com/alertes/itelis-impactant-aprs-axa-malakoff-humanis-ag2r--b73e8c179406

Related incidents

Supply chainContained

Leak at APRS (via Itelis)

APRS members were exposed in the November 2025 breach of Itelis, AXA's third-party optical-care platform, after an attacker posed as a partner optician; leaked data included names, dates of birth, social security numbers, optical reimbursement records and vision-correction details.

Victim
APRS