Viamedis & Almerys Hacked: 33 Million Health Records Exposed
"Your mutual insurance card, your healthcare reimbursements, your personal information: 33 million French citizens exposed. The second-largest data breach in French history."
Table of Contents
- What Are Viamedis and Almerys?
- The Attack: What We Know
- What Data Was Stolen?
- Concrete Risks for You
- Is Your Mutual Insurance Affected?
- The Response from Stakeholders
- What You Must Do
- Responsibility and Legal Recourse
- The Systemic Problem
- Complete FAQ
- Conclusion: The Healthcare Sector Under Threat
- Sources
In February 2024, two third-party payment operators virtually unknown to the general public -- Viamedis and Almerys -- revealed they had been victims of a cyberattack. The result: the data of 33 million French citizens ended up in the hands of hackers.
If you have supplementary health insurance (mutuelle), you are likely affected. These two companies manage the data exchanges between your mutual insurance providers and healthcare professionals for nearly the entire French market.
This article explains what happened, what data was stolen, and how to protect yourself.
What Are Viamedis and Almerys?
Invisible operators managing your health data for 33 million French citizens.
The Invisible Link in Your Healthcare
When you present your mutual insurance card at the doctor's office or at the pharmacy, you only see the tip of the iceberg. Behind the scenes, technical operators manage the data exchanges.
Viamedis and Almerys are third-party payment managers. Their role:
- Receive reimbursement requests from healthcare professionals
- Verify your coverage with your mutual insurer
- Transmit the information for reimbursement
- Manage the financial flows
Millions of French Citizens Affected
| Operator | Client Mutual Insurers | Insured Individuals Affected |
|---|---|---|
| Viamedis | Mutuals from the Malakoff Humanis group, Klesia, etc. | ~20 million |
| Almerys | Viasante, Harmonie Mutuelle, etc. | ~13 million |
| Total | ~33 million |
In other words, nearly one in two French people with supplementary health insurance were potentially clients of these operators.
The Problem of Centralization
This system concentrates the data of millions of people at just a few technical service providers:
"By trying to optimize costs and standardize data flows, the healthcare sector has created massive points of vulnerability. One flaw at an operator, and millions of people are exposed."
-- Cybersecurity expert, ZDNet
Source: CNIL - Viamedis Almerys Cyberattack
The Attack: What We Know
Targeted phishing of healthcare professionals: the entry point for a massive data extraction.
Timeline of Events
| Date | Event |
|---|---|
| January 2024 | Probable start of the intrusion |
| Late January 2024 | Compromise of healthcare professionals' accounts |
| February 1, 2024 | Viamedis detects the attack and cuts access |
| February 5, 2024 | Almerys announces it was also compromised |
| February 7, 2024 | Official notification to the CNIL |
| February 8, 2024 | Public communication from both companies |
The Method: Targeted Phishing
Contrary to what one might imagine, the hackers did not exploit a sophisticated technical vulnerability in the systems. They used a simpler and more effective method:
Hijacking healthcare professionals' accounts
- The hackers targeted healthcare professionals (doctors, pharmacists, etc.)
- Through phishing (fake emails), they obtained their login credentials
- With these legitimate access credentials, they were able to massively download the data
"Healthcare professionals have access to the Viamedis and Almerys portals to verify their patients' coverage. By stealing their credentials, the hackers gained direct access to the databases."
-- Viamedis official statement
The Scale of the Extraction
| Indicator | Figure |
|---|---|
| Individuals affected | 33 million |
| Extraction period | Several days |
| Data fields per person | 6 to 8 fields |
| Estimated volume | Several gigabytes |
Source: Le Monde - Viamedis Almerys Hack
What Data Was Stolen?
Your Social Security number, your mutual insurer, your coverage guarantees: ultra-sensitive data.
Data Confirmed as Exposed
| Data Type | Stolen | Risk |
|---|---|---|
| Civil status (last name, first name) | Yes | Identity theft |
| Date of birth | Yes | Fraudulent verification |
| Social Security number | Yes | CRITICAL |
| Mutual insurer name | Yes | Targeted phishing |
| Contract guarantees | Yes | Benefits fraud |
What Was NOT Stolen (Officially)
Viamedis and Almerys have sought to reassure on certain points:
- Medical records (conditions, treatments, prescriptions) -- NOT stolen
- Healthcare history -- NOT stolen
- Bank details (RIB, IBAN) -- NOT stolen
- Postal addresses (not directly, but can be cross-referenced) -- NOT stolen
- Emails and phone numbers (not directly in these databases) -- NOT stolen
Why It Is Still Extremely Serious
Even without medical data, the stolen information is extremely sensitive:
The Social Security number:
- A permanent identifier that is impossible to change
- Provides access to your healthcare benefits
- Used as identity verification everywhere
The mutual insurer name + guarantees:
- Enables the creation of ultra-credible phishing attacks
- Facilitates reimbursement fraud
- Reveals information about your financial situation
Concrete Risks for You
Perfect phishing, Ameli fraud, health identity theft: your data opens every door.
1. Ultra-Targeted "Mutual Insurance" Phishing
With your data, scammers can create perfectly personalized messages:
Example of a fraudulent SMS after the breach:
"[Name of YOUR real mutual insurer]: Your reimbursement of EUR 147.50 is pending. Confirm your bank details to receive payment: [fraudulent link]"
These messages are much more convincing because they mention:
- The real name of your mutual insurer
- Plausible amounts based on your coverage guarantees
- Your real policyholder number
2. Health Insurance Fraud
With your Social Security number and mutual insurance information, a criminal can:
- Order medications in your name
- Get fictitious treatments reimbursed
- Impersonate your identity with healthcare professionals
- Use your benefits for personal purposes
3. Health Identity Theft
Cases are already documented where victims discover:
- Prescriptions they never received
- Hospitalizations they never had
- Reimbursements going to third parties
"I discovered that someone had used my Social Security number to get medications prescribed. The traces of these prescriptions are now in my medical record. It's a nightmare to correct."
-- Victim testimony, UFC-Que Choisir forum
4. Cross-Referencing With Other Leaks
This breach adds to the others from 2024. By cross-referencing the databases:
| Breach | Data Obtained |
|---|---|
| Viamedis/Almerys | Social Security number, mutual insurer, guarantees |
| France Travail | Address, email, phone number |
| Free/SFR | IBAN |
Result: A complete profile enabling perfect identity theft.
Is Your Mutual Insurance Affected?
Malakoff Humanis, Harmonie Mutuelle, MGEN: check whether your mutual insurer uses these operators.
How to Find Out
The affected mutual insurers are those using Viamedis or Almerys as their technical operator. This notably includes:
Mutual insurers using Viamedis:
- Mutuals from the Malakoff Humanis group
- Klesia
- And many smaller mutual insurers
Mutual insurers using Almerys:
- Harmonie Mutuelle
- Viasante
- MGEN (certain contracts)
- And many others
The Best Approach
- Contact your mutual insurer directly
- Ask if they use Viamedis or Almerys
- Check whether you received a notification
- Consult the CNIL website for updates
Source: CNIL - Advice for Viamedis Almerys Victims
The Response from Stakeholders
Access cut, CNIL notified, complaint filed: but too late for 33 million people.
Viamedis and Almerys
Both operators have:
- Cut access as soon as the breach was detected
- Notified the CNIL within the legal deadlines
- Communicated publicly
- Filed a criminal complaint
However, questions remain:
- Why were professional access credentials not better secured (2FA)?
- Why did massive downloads not trigger an alert?
- Were the data encrypted?
The Mutual Insurers
The mutual insurers that were clients of these operators had to:
- Inform their members
- Strengthen fraud monitoring
- Manage the crisis of confidence
"We depend on subcontractors for technical management. This attack reveals the limits of our control over the data chain."
-- Head of a mutual insurer (anonymous)
The CNIL
The CNIL opened an investigation covering:
- The security measures in place
- Compliance with GDPR obligations
- The speed of notification
- Potential sanctions
What You Must Do
Monitor Ameli, distrust phishing, strengthen security: your immediate action plan.
Immediate Actions
1. Monitor your Ameli account
Log in regularly to ameli.fr to check:
- Your recent reimbursements (no unknown treatments)
- Your benefits (no suspicious modifications)
- Your designated doctor (no unauthorized change)
2. Verify communications from your mutual insurer
- Never click on links in emails or SMS
- Always access the site via the official URL
- Call the official number if in doubt
3. Maximum vigilance against phishing
The scams will be ultra-personalized. Golden rules:
- Your mutual insurer will never ask for your bank details by email or SMS
- Always verify the real sender of emails
- If in doubt, hang up and call back the official number
Long-Term Actions
4. Strengthen your digital security
| Action | Priority |
|---|---|
| Unique password on Ameli | Immediate |
| 2FA on all your health accounts | Immediate |
| Password manager | High |
| Secure email (ProtonMail) | Important |
5. Document for potential legal recourse
- Keep the notifications you received
- Note any suspicious incident
- Preserve evidence of harm
Complete guide: How to Protect Your Personal Data
Responsibility and Legal Recourse
The GDPR protects you: right to information, right to reparation, available recourse.
Your GDPR Rights
The GDPR provides several rights in the event of a data breach:
Right to information (Article 34)
- Organizations must inform you promptly
- The information must be clear and complete
Right to reparation (Article 82)
- You can claim compensation for the harm suffered
- The harm can be material or moral
Class Actions
Several associations and law firms have initiated proceedings:
- UFC-Que Choisir: monitoring the case
- Specialized law firms: class actions in preparation
Filing a Complaint
You can:
- Report to the CNIL via their online form
- File a police report at the gendarmerie or police station if you suffer harm
- Join a class action
The Systemic Problem
Too much data at too few operators: a structural vulnerability of the system.
The Centralization of Health Data
This affair reveals a fundamental problem:
Too much data at too few operators
- A few operators manage tens of millions of profiles
- One flaw = millions of victims
- Responsibility is diluted throughout the chain
Insufficient controls
- Healthcare professionals access too much data
- Authentication was weak (no widespread 2FA)
- Massive downloads were not detected
Lessons Not Learned
This is far from the first incident in the healthcare sector:
- Hospitals paralyzed by ransomware
- Laboratory data leaks
- Online pharmacy data breaches
The healthcare sector remains structurally vulnerable despite repeated warnings.
Complete FAQ
Were my medical records truly protected?
According to Viamedis and Almerys, yes. The databases that were hacked did not contain information about your conditions, treatments, or medical history. However, the stolen administrative data is sufficient to create credible fraud.
How do I know if I am affected?
Contact your mutual insurer to find out if they use Viamedis or Almerys. If you have not received a notification but your mutual insurer is a client of these operators, consider that your data has potentially been leaked.
Can I change my Social Security number?
No, this is impossible. The NIR (national registration number) is assigned for life. This is precisely why this data is so sensitive -- once compromised, it is compromised permanently.
Will my mutual insurer compensate me?
Not automatically. However, if you suffer demonstrable harm (fraud, identity theft), you can take legal action. Class actions are being prepared.
What should I do if I receive a call from "my mutual insurer"?
- Give no information
- Say you will call back yourself
- Use the official number of your mutual insurer (on your card or their website)
- Real mutual insurers never ask for sensitive data by phone
Is this breach linked to the hospital cyberattacks?
Not directly, but it illustrates the generalized vulnerability of the French healthcare sector. Hospitals, third-party payment operators, laboratories -- all are easy targets with often obsolete systems.
Conclusion: The Healthcare Sector Under Threat
The Viamedis and Almerys hack reveals a troubling truth: your health data is not protected.
Key takeaways:
- 33 million French citizens had their data exposed
- The Social Security number is permanently compromised for these individuals
- Phishing attacks will be ultra-targeted and credible
- Centralization of data creates massive vulnerabilities
- The healthcare sector remains structurally at risk
This affair is not isolated. It is part of a broader context where public services and subcontractors managing our most sensitive data fail to protect them.
The only response: take your security into your own hands. Monitor your accounts, be wary of unsolicited contacts, and strengthen your digital hygiene.
For a complete overview of cyberattacks in France: France, the Digital Sieve.
To protect yourself: Personal Data Protection Guide.
Related Articles -- Cybersecurity & Data Protection
- Telecom Operators Hacked Sfr Free Orange
- Personal Data Protection France Guide
- France Travail Pole Emploi Data Breach
- Hospital Cyberattacks France Ransomware
- Linky Fires Outages Safety Enedis
Sources
- CNIL - Viamedis and Almerys Cyberattack
- Le Monde - Third-party Payment Operators Hacked
- Numerama - Viamedis Technical Analysis
- ZDNet - Healthcare Security Flaws
- UFC-Que Choisir - Case Monitoring
- Official statements from Viamedis and Almerys