Almerys: 44 Million Healthcare Records Listed on Hacker Forum

A threat actor is marketing what they claim is a 44 million record dataset tied to French healthcare payment operator Almerys, including more than 15 million unique Social Security numbers belonging to French citizens. Cybernews researchers reviewed the listing and sample data on an underground cybercrime marketplace, though the full scale and authenticity of the broader dataset remain unconfirmed at this stage.

What Happened

A massive dataset allegedly tied to Almerys, one of France's key health payment operators, surfaced on a well-known cybercrime marketplace this week. The threat actor's post claims exposure of over 44 million records covering a significant portion of the French population. Almerys, founded in 2000 and headquartered in Clermont-Ferrand with offices in Paris, processes health payment data for 20 million insured individuals through a network of 84 healthcare organizations. The company has been contacted for comment but had not responded at the time of reporting. If verified, this would mark the second major security incident involving Almerys in two years, following the 2024 attack on Almerys and Viamedis that exposed data for more than 33 million people.

What Was Taken

Cybernews researchers reviewed the post and a data sample provided by the threat actor. The sample records contained personally identifiable information including:

• Full names
• Dates of birth
• Partial Social Security numbers (13-digit base, without the two-digit key)
• Employer or organization details

The threat actor's full listing claims more than 44 million total records and over 15 million unique Social Security numbers. Researchers noted the SSNs in the sample were partially redacted, raising the possibility that the seller intentionally truncated identifiers to preserve data value for buyers, a common tactic on dark web marketplaces.

Why It Matters

Almerys sits at the center of France's private health insurance infrastructure, processing payment data for one in three French citizens. A confirmed breach of this scale would expand on the 2024 Almerys and Viamedis incident, which CNIL flagged as one of the largest data exposures in French history. The combination of names, dates of birth, employer details, and Social Security numbers provides exactly the building blocks needed for identity theft, synthetic identity fraud, and targeted social engineering. Researchers also flagged the risk of workplace reconnaissance, where employer fields enable adversaries to map French citizens to specific organizations for follow-on phishing, business email compromise, or insider targeting campaigns. For defenders, this incident underscores the systemic risk concentrated in third-party health payment processors, where a single breach can cascade across dozens of insurance carriers.

The Attack Technique

The threat actor has not publicly disclosed the initial access vector, and Almerys has not confirmed any compromise. The pattern is consistent with previous large-scale French healthcare incidents, where attackers leveraged credential abuse against partner portals and B2B integration endpoints used by healthcare professionals and insurance brokers. The 2024 Almerys and Viamedis incident was traced to phishing attacks against healthcare professionals whose credentials granted access to insured-person lookup interfaces. Until the company confirms the incident and releases technical detail, the entry path remains speculative, though aggregation through partner portal abuse should be considered the leading hypothesis.

What Organizations Should Do

1. Audit B2B and partner portal access. Enforce MFA across all healthcare professional, broker, and partner accounts, and rate-limit bulk lookup operations to detect scraping behavior early.
2. Hunt for credential stuffing and anomalous lookups. Review logs for unusual volumes of insured-person queries, particularly from single accounts or new geographies, over the past 18 months.
3. Re-evaluate third-party processor risk. Map which payment operators and clearinghouses hold customer PII, and require breach notification SLAs and security attestations in contracts.
4. Prepare identity theft response for French employees. Organizations with French staff should brief workforces on the elevated phishing and identity fraud risk and recommend monitoring through Service-Public.fr resources.
5. Tighten data minimization in lookup APIs. Return only the fields strictly needed for a workflow; truncate Social Security numbers in responses where the full value is not required.
6. Coordinate with CNIL and ANSSI. French entities handling related data should engage regulators proactively if downstream exposure is suspected, given the recurring nature of incidents in this sector.

Sources: Hacker markets alleged Almerys database with millions of SSNs​ | Cybernews