French Health Billing Vendor Hit by Cyberattack, Exposing Social Security Numbers and Fueling Scam Fears

A major French health-care billing middleman says hackers broke into a key online portal used to approve coverage for everything from eyeglasses to dental work, exposing sensitive personal data, including French Social Security numbers, and triggering warnings about a wave of scams.

The company, Almerys, sits at the center of France’s “third-party payment” system, roughly comparable to the behind-the-scenes claims and eligibility plumbing that helps Americans avoid paying full price up front when insurance is involved. After confirming the May 2026 breach, Almerys took its coverage-authorization site offline, a move meant to stop the intrusion but one that has also snarled routine care approvals in clinics and hospitals.

A critical authorization portal goes dark

Almerys said the attack targeted its portal for issuing “prises en charge,” or coverage authorizations, approvals that providers often need before delivering certain services or equipment. The company said it moved quickly to identify and shut down the unauthorized access.

The most visible step: taking the authorization site offline. That containment move can limit further data exposure, but it also disrupts day-to-day operations for providers who rely on near-instant approvals to finalize estimates and avoid asking patients to front the money.

Almerys said the outage is hitting high-volume approval areas in particular: vision care, dentistry, hearing services, and some hospital-related authorizations. In practical terms, when the portal is down, staff have to ask: Who can approve this now, through what channel, and how long will it take?

The company said other parts of its business remain operational, administrative processing, database updates, transaction handling, and payments. In other words, the financial back end is still running, but a front-line tool providers use to secure approvals has been paused while the company works to regain control.

Almerys also pointed to temporary workarounds for clinics and facilities. Those stopgaps tend to mean more manual checks, more phone calls, more paperwork, and longer waits, sometimes leaving patients stuck between a quote and an approval that used to arrive in minutes.

What was exposed: identity details, including France’s Social Security number

Almerys and notices relayed by insurers describe the potentially exposed data as administrative identity and coverage information, not medical records. The list includes a person’s name, date of birth, and, most their French Social Security number (a national identifier used widely across the health system).

The exposed information may also include the name of the person’s health insurer, a contract number, and the start and end dates of coverage. That combination can be powerful in the wrong hands, giving scammers enough detail to craft messages that feel authentic.

A cybersecurity consultant quoted in French reporting described the risk bluntly: with a national ID number and an insurer name, a fraudster can write an email or text that “sounds real,” pushing targets to click a fake portal link or hand over documents.

Some insurers emphasized what wasnotinvolved. According to a notice relayed by one mutual insurer, the affected platform does not store bank details, medical data, health reimbursements, postal addresses, phone numbers, or email addresses, meaning those categories would not be impacted by this specific breach.

But that doesn’t eliminate the danger. Even without direct contact info from this system, attackers can pair leaked identity data with phone numbers or emails bought elsewhere, then launch convincing phishing campaigns by text, call, or email.

Insurer Alan warns customers; French regulators notified

One of the most prominent public warnings came from Alan, a fast-growing French health insurer often compared to a tech-forward U.S. insurer for its app-first approach. Alan told members to brace for an uptick in fraudulent messages following the May 22 incident.

Alan said it is filing a complaint and has reported the matter to French authorities, including the CNIL, France’s national data protection watchdog, similar in role to a mix of U.S. state privacy enforcers and the FTC’s consumer-protection lane, and the ACPR, the regulator that oversees banks and insurance companies.

Almerys said it also notified the CNIL and filed a report with ANSSI, France’s national cybersecurity agency, roughly analogous to CISA’s role in the United States. One key detail remains unclear: Almerys has not disclosed how many people may be affected.

French broadcaster BFM TV reported that the full scope of the leak is still unknown, though the exposure itself is confirmed. Some insurers and groups that use Almerys, including AG2R, were cited in coverage, while MGEN, one of France’s best-known mutual insurers, said it was not affected.

Echoes of a massive 2024 breach

The 2026 incident also revives uncomfortable memories: Almerys was linked to a previous data leak in February 2024 that French reports tied to stolen login credentials from health professionals. That kind of account takeover is a common weak point, once attackers have legitimate credentials, they can move through systems looking like authorized users.

That earlier episode was widely reported as affecting about 33 million people, nearly half of France’s population. Even if the two incidents differ, the comparison raises the stakes for Almerys, especially around stronger authentication and detecting unusual access patterns.

France, like the U.S., has seen a surge in data breaches. Sector figures cited in French reporting point to 8,613 notified breaches in a year, up 45%, a pace of roughly two dozen incidents a day, underscoring how industrialized cybercrime has become, particularly in health care and insurance.

What it means for patients and providers

For patients, the most immediate threat is fraud. The classic playbook after an identity-data leak is a message designed to trigger panic, claiming a file is incomplete, a reimbursement is frozen, or a new insurance card must be issued, then asking for documents or directing the person to a fake website.

The practical advice from insurers is straightforward: don’t click links in unsolicited messages, don’t send ID documents in response to unexpected requests, and contact your insurer through official channels you already use.

For providers, the outage is more than an IT headache. In vision and hearing care especially, coverage authorization can determine whether a patient walks out with equipment the same day. When approvals slow down, some patients pay out of pocket, others postpone care, and clinics spend more time chasing confirmations.

Almerys says core payment operations are still functioning, which may limit broader disruption. But until the authorization portal is restored, or replaced with a reliable alternative, France’s health-care billing machinery will keep running with a limp, and patients are likely to feel the friction at the worst possible moments: right when they’re trying to get care.