Cyberattack on Almerys Exposes Sensitive Data of Alan Policyholders in France
A cyberattack targeting Almerys, a French third-party payment processor for health insurers, has compromised the personal data of policyholders from digital insurer Alan. The breach occurred at Almerys, which acts as an intermediary between insured individuals, healthcare providers, and mutual insurance companies meaning Alan’s customers were exposed despite no direct breach of Alan’s own systems.
In a statement released Saturday, Alan confirmed the leaked data includes full civil status, Social Security numbers, contract numbers, insurer names, and coverage dates. However, bank details, passwords, addresses, and health records were not affected. Almerys responded by taking its reimbursement platform offline upon detecting the attack, causing disruptions for healthcare providers such as opticians and hospitals submitting claims.
The incident highlights the risks of supply chain vulnerabilities in France’s healthcare payment ecosystem, where third-party breaches can have cascading effects on insurers and their customers. No direct intrusion into Alan’s servers was reported.
Almerys TPRM report: https://www.rankiteo.com/company/almerys
"id": "alm1779575065",
"linkid": "almerys",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Policyholders',
'industry': 'Health Insurance',
'location': 'France',
'name': 'Alan',
'type': 'Digital Insurer'},
{'customers_affected': 'Healthcare providers and '
'insured individuals',
'industry': 'Healthcare Payments',
'location': 'France',
'name': 'Almerys',
'type': 'Third-Party Payment Processor'}],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information)',
'type_of_data_compromised': ['Full civil status',
'Social Security numbers',
'Contract numbers',
'Insurer names',
'Coverage dates']},
'description': 'A cyberattack targeting Almerys, a French third-party payment '
'processor for health insurers, has compromised the personal '
'data of policyholders from digital insurer Alan. The breach '
'occurred at Almerys, which acts as an intermediary between '
'insured individuals, healthcare providers, and mutual '
'insurance companies, meaning Alan’s customers were exposed '
'despite no direct breach of Alan’s own systems.',
'impact': {'brand_reputation_impact': 'Supply chain vulnerability highlighted',
'data_compromised': 'Personal data of policyholders',
'downtime': 'Platform taken offline',
'identity_theft_risk': 'High (Social Security numbers exposed)',
'operational_impact': 'Disruptions for healthcare providers '
'submitting claims',
'payment_information_risk': 'None (bank details not affected)',
'systems_affected': 'Almerys reimbursement platform'},
'lessons_learned': 'Highlights risks of supply chain vulnerabilities in '
'France’s healthcare payment ecosystem',
'references': [{'source': 'Alan Statement'}],
'response': {'communication_strategy': 'Public statement released',
'containment_measures': 'Platform taken offline'},
'title': 'Cyberattack on Almerys Exposes Sensitive Data of Alan Policyholders '
'in France',
'type': 'Data Breach'}