French Health Payments Firm Hit by Cyberattack, Exposing ID Data and Fueling Fraud Fears

A major French health-care payments middleman says hackers broke into a key authorization portal and may have exposed sensitive personal data, including France’s equivalent of a Social Security number, setting off warnings about identity theft and scam attempts.

Almerys, a company that helps process “third-party payment” transactions so patients don’t have to pay upfront, confirmed the breach but has not said how many people may be affected. The intrusion targeted its online system used to approve certain medical coverage requests, and the company has shut that service down while it investigates.

The incident is already rippling through France’s health system, where these approvals can speed access to services like eyeglasses, hearing aids, dental work, and some hospital care. Insurers including Alan, a fast-growing French digital health insurer, are urging customers to brace for a spike in phishing and impersonation scams.

A key health authorization portal goes dark

Almerys says the attackers gained unauthorized access to its “PEC” site, short for “prise en charge,” a pre-authorization tool used by some clinics and health providers to confirm coverage before certain treatments.

The company’s most immediate move: shutting down the PEC service to contain the incident. Almerys says its core third-party payment operations are still running, but the pre-authorization piece is disrupted.

In practical terms, that can mean slower approvals and more manual work for providers. A hearing center waiting for confirmation before fitting an expensive device, or a dental office checking whether a patient’s plan covers a procedure, may face delays, or ask patients to front the money and seek reimbursement later.

Almerys has not publicly detailed the technical workaround it’s offering providers during the outage, and it has not provided a headcount for potentially impacted patients.

What data may have been exposed, and why it matters

Almerys says the potentially exposed information includes identity and administrative details: name, date of birth, France’s national identification number used for health coverage (similar in sensitivity to a U.S. Social Security number), the name of the health insurer, a contract number, and coverage start and end dates.

That combination is valuable to scammers because it helps them craft convincing stories, posing as an insurer, a benefits administrator, or a billing service, and pressure people into handing over whatever information is missing.

Almerys and other parties say several categories of data were not involved: bank information, medical records, reimbursement details, postal addresses, phone numbers, email addresses, and passwords. That reduces the risk of direct account theft, but it doesn’t eliminate the threat of identity fraud and social engineering.

A common playbook after breaches like this: a call, text, or letter that references real details, your insurer, your coverage dates, then demands an “urgent update” or sends you to a lookalike website to upload ID documents.

Insurers warn of phishing waves as scammers exploit the headlines

Alan has told customers to be on guard for a surge of fraudulent messages in the coming weeks. When a breach becomes public, criminals often ride the news cycle, blasting out alerts that sound plausible: “Your coverage authorization is blocked,” “Update your file,” “Confirm your identity.”

These scams don’t always ask for money upfront. Often, they’re designed to collect documents or identifiers, government ID, proof of address, or the national ID number, so criminals can attempt broader identity theft later.

The challenge, consumer advocates note, is that vague warnings can also backfire by creating alert fatigue. The most effective guidance is specific: don’t share your national ID number with an unverified caller, don’t upload documents through links you didn’t request, and verify any request by contacting your insurer through an official number you already have.

French regulators and prosecutors step in

Almerys says it has notified France’s privacy watchdog, the CNIL (roughly comparable to a mix of the FTC’s consumer protection role and U.S. state privacy regulators), and reported the incident to ANSSI, France’s national cybersecurity agency.

The Paris prosecutor’s office said its cybercrime unit has assigned the case to a specialized police brigade. Investigators typically work to reconstruct how attackers got in, what accounts were used, what logs show, and whether data was merely accessible or actually copied out.

One complicating factor: Almerys has been hit before. The company was targeted in early 2024 in a separate large-scale data theft, raising fresh questions about the security posture of firms that sit in the middle of health-care billing and administrative workflows.

Why “middleman” platforms can create outsized fallout

In systems like France’s, third-party payment operators connect insurers, providers, and administrative data at scale. That makes them efficient, and attractive targets. A single compromised professional account or weak authentication flow can open doors to broad swaths of personal information.

If pre-authorization slows down, patients can feel it quickly. For items like glasses or hearing aids, the out-of-pocket advance can run hundreds of dollars or more, roughly hundreds of euros in France, depending on the device and coverage, even if reimbursement comes later.

Until Almerys discloses how many people were affected, patients and providers are left guessing about the true scope. The longer that number stays unknown, the more room scammers have to exploit uncertainty, and the harder it becomes for the public to separate legitimate insurer outreach from fraud.