Skip to content
Back to blog
data-breacheshealthcarecybersecuritypersonal-datathird-party-payment

Viamedis and Almerys: 33 Million French Citizens Exposed by a Flaw at Two Health Insurance Processors

In February 2024, the health data of 33 million French citizens was compromised through Viamedis and Almerys. Timeline, stolen data, consequences, and lessons for businesses.

Thomas Ferreira41 min read

On 1 February 2024, the name Viamedis means nothing to the general public. Five days later, the same goes for Almerys. Yet these two companies manage an operation that tens of millions of French citizens use every week without a second thought: tiers payant (third-party payment). When you show your supplementary health insurance card at the pharmacy and do not pay the remaining balance out of pocket, operators like Viamedis and Almerys process the transaction between the healthcare provider, the national health service (Assurance Maladie), and your supplementary insurer (mutuelle).

In February 2024, attackers compromised the systems of both operators within the space of a few days. The toll: the personal data of 33 million French citizens - nearly half the population - ended up in the hands of cybercriminals. Social security numbers, names, dates of birth, insurer identifiers, supplementary health contract details. All of it gone.

It is the largest health data breach in French history. And it relied on a flaw of staggering simplicity: healthcare professional accounts with no multi-factor authentication.

This article reconstructs the full story: who Viamedis and Almerys are, how the attack unfolded, what data was stolen, why 33 million people are affected, what the real-world consequences are for victims, and what lessons any organisation handling sensitive data should take away.

Viamedis and Almerys: Two Little-Known Operators at the Heart of the French Healthcare System

To understand the scale of this breach, you first need to understand what these two companies do and why they hold so much data.

Third-Party Payment: How It Works

Third-party payment (tiers payant) is the mechanism that spares French patients from paying medical costs upfront. When you visit a doctor or pharmacist, you only pay the co-payment (or nothing at all if your supplementary insurer covers the full amount). The rest is billed directly to the Assurance Maladie (France's national health service) and your supplementary insurer.

For this to work in real time, a technical intermediary is needed. When the pharmacist scans your Carte Vitale (health insurance card), the system must instantly verify: is this person covered by a supplementary insurer? What is their level of coverage? What amount should the insurer pay?

That is exactly the role of third-party payment operators like Viamedis and Almerys. They are the technical platform connecting healthcare providers to supplementary health insurers. They handle data flows, eligibility checks, and reimbursements.

Viamedis

Viamedis is a subsidiary of the Malakoff Humanis group, France's largest joint social protection group. The platform manages third-party payment for 84 supplementary health insurers, according to figures published before the incident. Its clients include Malakoff Humanis (naturally), but also Viasante Mutuelle, Carte Blanche Partenaires, and several dozen other mutuelles and provident institutions.

In practice, Viamedis operates an online portal where healthcare professionals (doctors, pharmacists, opticians, dentists) log in to check patient coverage and submit reimbursement requests.

Almerys

Almerys is based in Clermont-Ferrand and operates a similar service: managing third-party payment for supplementary health insurers. Its clients include the MGEN (Mutuelle Generale de l'Education Nationale - the mutual fund for public education employees, covering 4 million beneficiaries), Harmonie Mutuelle, and several dozen other organisations.

Almerys processes hundreds of millions of third-party payment transactions each year, according to figures published on its corporate website.

The Concentration Problem

Between them, Viamedis and Almerys handle supplementary third-party payment for a massive share of the French market. The CNIL (Commission Nationale de l'Informatique et des Libertes - France's data protection authority) estimated the number of people affected at 33 million - roughly half the French population, including policyholders and their dependents.

This figure is explained by the fact that nearly all French residents have supplementary health insurance (95% of the population, according to DREES, the French Ministry of Health's statistical office), and a very large proportion of these insurers are clients of one of these two operators. When you take out a supplementary health plan, you do not choose the third-party payment operator - your insurer made that choice for you. You probably have no idea whether your insurer uses Viamedis, Almerys, or another provider.

This is a fundamental point: 33 million French citizens had their data with these two operators without knowing it.

Full Timeline of the Attack

January 2024: The Reconnaissance Phase

According to information released by Viamedis and analyses published by specialist press outlets (Numerama, 01net, Le Monde), the first signs of malicious activity date back to late January 2024. The attackers are believed to have targeted healthcare professional accounts with access to the Viamedis portal, probably through phishing or by reusing credentials compromised in earlier breaches.

The technique is known as credential stuffing: attackers test username/password combinations recovered from previous breaches (LinkedIn, Facebook, databases resold on the dark web) against other services, betting that many users reuse the same password everywhere.

1 February 2024: Viamedis Detects the Intrusion

On 1 February 2024, Viamedis detects abnormal access to its portal. The internal investigation reveals that healthcare professional accounts have been compromised and used to access policyholder data on a massive scale.

Christophe Cande, Viamedis's CEO, publicly confirms that the attack exploited stolen healthcare professional credentials to log in to the portal. "This is not a ransomware attack," he states in a press release cited by Le Monde. It is a data exfiltration via hijacked legitimate access.

Viamedis immediately takes its portal offline, cutting off third-party payment access for healthcare providers using its platform. This emergency decision has direct consequences: in pharmacies, medical practices, and optician offices, supplementary third-party payment no longer works for policyholders of insurers routed through Viamedis. Patients must pay out of pocket and request reimbursement after the fact.

5 February 2024: Almerys Hit in Turn

On 5 February 2024, Almerys announces that it too has suffered a similar attack. The same methods - compromised healthcare professional accounts - were used to access its policyholder data.

The fact that both operators were hit within days of each other using the same technique raises a question: was this the same group of attackers targeting both platforms in parallel, or two separate attacks exploiting the same structural vulnerability (the absence of MFA on healthcare professional accounts)? At the time of writing, the investigation has not publicly resolved this question.

7 February 2024: The CNIL Steps In

On 7 February 2024, the CNIL publishes a press release announcing that it has been notified of the data breaches by both operators and has launched investigations. The release includes the initial estimate: 33 million people are potentially affected.

The CNIL reminds supplementary health insurers that, as data controllers, they are obligated to individually notify the people whose data has been compromised. This obligation stems from Article 34 of the GDPR, which requires notification of affected individuals when the breach is "likely to result in a high risk to the rights and freedoms of natural persons."

8-9 February 2024: Confirmation of the Scale

Over the following days, the picture becomes clearer. The CNIL confirms in an updated statement that the figure of 33 million corresponds to all policyholders and their dependents covered by the supplementary health insurers using Viamedis and Almerys.

The supplementary health insurers begin notifying their policyholders. Malakoff Humanis, MGEN, Viasante, Harmonie Mutuelle, and dozens of other mutuelles and provident institutions send notifications by email and post. The volume is such that insurer customer service departments are overwhelmed for weeks.

February-March 2024: The Aftermath

Viamedis gradually brings its portal back online after deploying additional security measures, including multi-factor authentication on professional access. Almerys does the same.

The CNIL announces that it will carry out in-depth audits of both operators to assess compliance with their data security obligations.

The Paris public prosecutor's office opens a criminal investigation, assigned to the sub-directorate for the fight against cybercrime (SDLC) within the judicial police.

How the Attackers Got In: The Mechanics of the Flaw

The Viamedis-Almerys attack is a textbook case of account takeover compromise. Here is how it played out.

Step 1: Obtain Healthcare Professional Credentials

The Viamedis and Almerys portals are accessible to healthcare professionals - doctors, pharmacists, opticians, dentists, physiotherapists - who log in to check patient coverage and submit third-party payment reimbursement requests.

These accounts are protected by a username/password combination. In France, self-employed healthcare professionals often manage their own IT credentials without the support of a dedicated IT department. Password reuse is widespread: according to the Verizon DBIR 2024 report, stolen or reused credentials are involved in 77% of attacks against web applications.

The attackers most likely obtained these credentials through one of the following methods (or a combination):

  • Targeted phishing: emails impersonating Viamedis or Almerys, asking healthcare professionals to re-authenticate on their portal via a fake website. For a broader look at phishing in France, see our article on enterprise phishing statistics in 2026.
  • Credential stuffing: reusing credentials recovered from earlier breaches (a healthcare professional who uses the same password for their third-party payment portal and LinkedIn, for example).
  • Dark web purchase: databases of compromised credentials are permanently on sale on cybercriminal forums. A batch of 1,000 healthcare professional credentials can be bought for a few hundred euros.

Step 2: Logging into the Portal Without Resistance

Once in possession of a valid username/password pair, the attackers log in to the portal. And this is where the flaw is most serious: no additional verification is required. No SMS code, no authenticator app (TOTP), no physical key (FIDO2/WebAuthn). A password alone is enough.

The portal also lacked effective anomaly detection: a login from an unusual IP address, from a foreign country, from an unknown device, at an unusual time - all signals that could have triggered an alert or automatic lockout.

Step 3: Massive Data Extraction

Once logged in with a healthcare professional's credentials, the attackers have access to the coverage verification interface. This interface, designed for a pharmacist to check one patient's coverage at a time, can be automated. Using scripts, the attackers queried the database en masse: request after request, they extracted the records of millions of policyholders whose supplementary health insurers are managed by the operator.

The absence of rate limiting (capping the number of requests per session) allowed this massive extraction to proceed without triggering any alert.

Why the Absence of MFA Is the Root Cause

If a single factor had to be singled out to explain this breach, it is the absence of MFA. With multi-factor authentication - even a basic method like an SMS code - a compromised password is no longer enough. The attacker must also have the healthcare professional's phone. The cost of the attack increases by at least a factor of 10, and the success rate collapses.

Microsoft regularly publishes statistics on MFA effectiveness: according to its 2023 data, MFA blocks 99.2% of automated credential-compromise attacks. Google reports similar figures for its Advanced Protection Programme.

In other words: for a control that costs a few euros per user per month to deploy, Viamedis and Almerys could probably have prevented the entire attack.

The Stolen Data: What Was Compromised and What Was Not

What Was Stolen

The CNIL and both operators confirmed the list of compromised data. For each policyholder, the attackers gained access to:

DataExamplePrimary Risk
Civil statusSurname, first nameIdentity theft
Date of birth15/03/1985Fraudulent identity verification
Social security number (NIR)1 85 03 75 108 123 45Lifelong administrative impersonation
Name of health insurerMalakoff HumanisConvincing targeted phishing
Contract numberMH-2024-XXXXXReimbursement fraud
Contract coverageOptical EUR 450/year, Dental 100%Commercial targeting, fraud

The combination of these data points is particularly dangerous. An attacker who knows you are insured with Malakoff Humanis under contract number X with optical coverage of EUR 450/year can send you a perfectly credible email impersonating your insurer, referencing details that only your insurer should know.

Why the NIR Is the Most Toxic Piece of Data

The French social security number (NIR - Numero d'Inscription au Repertoire) deserves special attention. Unlike a password, a phone number, or even a bank account number (IBAN), the NIR is permanent and cannot be changed. It is assigned at birth and follows you for life. There is no procedure in France to obtain a new one (except in exceptional cases involving a change of civil status).

The NIR is used as an identifier in numerous systems:

  • The Assurance Maladie (France's national health service - Ameli)
  • Pension funds
  • Social benefit agencies (CAF - family benefits, France Travail - the public employment service)
  • Payslips and social declarations
  • Certain banking and insurance procedures

An attacker who has your NIR, name, date of birth, and address can present themselves at a counter (physical or online) in your name. Identity fraud using the NIR is particularly difficult to detect and to correct.

The bottom line: the 33 million NIRs compromised in this breach are exploitable by criminals for decades. That is the fundamental difference from a banking data breach: the bank can issue a new card in 48 hours. The social security system cannot issue a new NIR.

What Was NOT Stolen

Both operators and the CNIL confirmed that the following data was not present in the compromised systems and was therefore not stolen:

  • Banking data (IBAN, bank details, card numbers)
  • Medical data (diagnoses, prescriptions, test results, treatment history)
  • Reimbursement details (amounts, procedure details)
  • Postal addresses and email addresses (not present in the third-party payment databases queried by healthcare professionals)
  • Phone numbers

This scope is an important point. The Viamedis and Almerys third-party payment systems are coverage verification platforms, not medical records. They contain the information needed to answer the question "is this person eligible for third-party payment, and for how much?" - not clinical data.

This does not diminish the severity of the breach - the NIR alone is enough to cause lasting harm - but it does mean that the medical diagnoses, treatments, and care histories of 33 million people are not in the attackers' hands. That is a relative consolation.

Why 33 Million: The Concentration Problem

The figure of 33 million is striking. How can two companies that nobody has heard of hold the data of half the French population?

A Hyper-Concentrated Market

The French market for supplementary third-party payment operators is an oligopoly. Only a handful of players exist: Viamedis, Almerys, Actil (a legacy operator acquired by Cegedim), and a few others. Between them, Viamedis and Almerys hold a majority market share.

This concentration is explained by the nature of the service. A third-party payment operator must be interconnected with thousands of pharmacies, medical practices, hospitals, and with dozens of supplementary health insurers. Building and maintaining this transaction infrastructure is expensive, creating a natural barrier to entry. The market tends towards concentration.

The Cascade Effect

When a supplementary health insurer signs a contract with Viamedis for third-party payment management, it is not only direct policyholders who are affected. Dependents are too: the spouse, the children. A family plan with an insurer that uses Viamedis exposes 3 or 4 people at once.

Malakoff Humanis, Viamedis's largest shareholder, is the largest joint social protection group in France. On its own, it covers millions of people. Add the other 83 supplementary insurers that are Viamedis clients, then the dozens of insurers that are Almerys clients (including the MGEN with its 4 million beneficiaries), and you reach 33 million people.

The Systemic Risk of Outsourcing

This concentration creates systemic risk. When a single technical provider manages the data of tens of millions of people on behalf of dozens of organisations, compromising that single provider has disproportionate consequences.

It is the same pattern as the SolarWinds attack in 2020 in the United States or the MOVEit vulnerability exploitation in 2023: compromising one link in the supply chain makes it possible to reach all of that link's customers.

European regulators are beginning to grasp the scale of this risk. The DORA regulation (Digital Operational Resilience Act), which came into effect in January 2025, requires financial entities to map and manage the risk posed by their ICT service providers. The healthcare sector does not yet have an equivalently binding framework.

Immediate Consequences: The Crisis of the First Weeks

The Third-Party Payment Outage

The first tangible consequence for French citizens was the loss of third-party payment. When Viamedis took its portal offline on 1 February 2024, healthcare providers using its platform could no longer verify patient coverage in real time. The result: at pharmacies, patients had to pay their insurer's share upfront and claim reimbursement later.

This situation lasted several days for Viamedis and slightly less for Almerys. For elderly patients, for those who cannot afford to pay upfront, for chronically ill patients who need daily medication, this outage had immediate real-world consequences.

Notifying the Policyholders

The supplementary health insurers found themselves obligated to individually notify their policyholders. Under Article 34 of the GDPR, this notification must occur "without undue delay" when the breach is likely to result in a high risk.

The logistical problem is immense: notifying 33 million people requires a considerable effort. The mutuelles sent waves of emails, postal letters, and messages through online member portals. Some took several weeks to inform all of their policyholders.

The content of these notifications varied from one insurer to another, creating confusion among policyholders. Some received an alarmist message, others a simple advisory. The lack of centralised communication (each insurer communicating separately) made the situation difficult for the general public to navigate.

The CNIL's Emergency Session

The CNIL held an emergency session in the days following the disclosure. The authority issued a detailed statement reminding supplementary health insurers and third-party payment operators of their obligations, and launched formal investigations.

The CNIL also published a dedicated information page on its website, gathering answers to the most common questions: am I affected? What data is involved? What should I do?

The Secondary Wave: The Phishing That Followed the Breach

While the initial attack compromised the data of 33 million people, the most tangible consequences for victims came in the weeks and months that followed, in the form of a massive wave of targeted phishing.

Immediate Exploitation of the Stolen Data

The data stolen from Viamedis and Almerys is a perfect phishing kit. An attacker who knows you are insured with Malakoff Humanis, with supplementary health contract number X, can send you an email that looks like an official communication from your insurer. They know your name, your social security number, your insurer's name. The email might say: "Following the security incident at our provider Viamedis, we invite you to update your information by clicking the link below."

Cybermalveillance.gouv.fr, the French government's platform for assisting cybercrime victims, issued a specific alert in February 2024 about phishing risks following the Viamedis-Almerys breach. The message is clear: do not click any link in an email claiming to come from your insurer in connection with this incident.

Observed Attack Patterns

Numerama and 01net documented several types of phishing attempts exploiting the Viamedis-Almerys data:

Emails impersonating insurers. Emails replicating the branding of Malakoff Humanis, MGEN, or other mutuelles, asking policyholders to "confirm their details" or "update their password." The objective: harvest login credentials for the insurer's member portal, and often banking details too.

Text messages purporting to come from the Assurance Maladie. Short messages such as "Your Carte Vitale is about to expire, renew it at ameli-renouvellement.fr" (a fake site). This scam existed before the Viamedis-Almerys breach, but the stolen data allows it to be personalised: "Hello [first name], following a security incident affecting your health data..."

Phone calls (vishing). Individuals posing as Ameli advisors or agents from your insurer, citing your social security number to prove their "legitimacy." The objective: obtain your banking details or a wire transfer.

Knowledge of the NIR is the most formidable weapon in this arsenal. A caller who cites your social security number immediately gains credibility, because this information is considered confidential. The victim thinks: "Only my insurer or the Assurance Maladie would know my social security number, so this must be a legitimate call." It is not - but that is the logic that works.

For a comprehensive overview of modern phishing techniques, including quishing, vishing, and smishing, see our article on enterprise phishing statistics in 2026.

The Scale of the Wave

Cybermalveillance.gouv.fr recorded a spike in reports in the weeks following the breach disclosure. The platform published a dedicated factsheet titled "Viamedis-Almerys Health Data Breach: Risks and Best Practices."

Health-related phishing and scams impersonating the Assurance Maladie were already the number-one threat reported on Cybermalveillance.gouv.fr before the Viamedis-Almerys incident. After the breach, the phenomenon intensified in a documented fashion.

Why Health Data Is Worth More Than Banking Data

The Viamedis-Almerys case sits within a broader context: health-related data is the top target for cybercriminals, ahead of banking data. Three structural reasons explain this hierarchy.

Permanence

Your credit card number is compromised? Your bank issues a new one in 48 hours. The old one becomes useless. Your password is stolen? You change it. Your email is compromised? You create a new one.

Your social security number is compromised? It stays compromised for the rest of your life. Your health coverage information is exposed? It remains exploitable as long as you keep the same plan - and even after that, the name of your former insurer and the contract number remain useful for fraud attempts.

According to the IBM Cost of a Data Breach 2025 report, health data carries the highest average cost per breach across all sectors: USD 10.93 million. That is more than double the cross-industry average. This permanence is the primary factor.

Versatility for Fraud

A stolen credit card number is only useful for fraudulent purchases. Health data, combined with identity data (name, date of birth, NIR), opens the door to multiple types of fraud:

  • Identity theft: opening accounts, claiming benefits, taking out loans in the victim's name.
  • Insurance fraud: filing false care reimbursements using coverage information.
  • Blackmail: if medical data is included (not the case in the Viamedis-Almerys incident, but true for other breaches).
  • Commercial targeting: reselling data to marketing operations for health products, insurance, or competing supplementary insurers.

Dark Web Pricing

The figures are consistent across specialist literature. Trustwave SpiderLabs, the Ponemon Institute, and Recorded Future regularly publish studies on the valuation of stolen data. The ballpark:

Data TypeAverage Dark Web Price
Credit card number (with CVV)USD 5-10
Online banking credentialsUSD 50-200
Complete medical recordUSD 250-1,000
Social security number (isolated)USD 1-5
NIR + full identity + insurerUSD 30-100

The data package stolen from Viamedis and Almerys (NIR + civil status + insurer + contract + coverage) falls in the USD 30-100 range per record. Multiplied by 33 million records, the theoretical value of this database on the black market runs into the hundreds of millions of euros.

The CNIL Investigation and Regulatory Response

The CNIL's Investigation

The CNIL opened investigations as soon as Viamedis and Almerys notified the breaches. The points under examination cover several areas.

The security obligation (Article 32 of the GDPR). Article 32 requires data controllers and processors to implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk." The absence of MFA on access to a database containing 33 million people's records squarely raises the question of whether the security measures were "appropriate."

Allocation of responsibility. The chain of responsibility is complex. Viamedis and Almerys are data processors within the meaning of the GDPR: they process data on behalf of the supplementary health insurers (the data controllers). But processors also have direct security obligations (Articles 28 and 32 of the GDPR). The CNIL must determine who is responsible for what: the third-party payment operator that failed to enable MFA, or the supplementary health insurers that failed to require it in their processing agreements?

Compliance of the notification. The CNIL is verifying that notification timelines (72 hours to notify the CNIL, "without undue delay" for affected individuals) were respected and that the content of the notifications was compliant.

CNIL Enforcement Precedents in Healthcare

The CNIL has an established record of enforcement in the healthcare sector:

  • Dedalus Biologie: EUR 1.5 million fine in April 2022 for the leak of 500,000 medical records. The CNIL identified failures in data security, including a lack of encryption and unauthorised data extractions.
  • Doctissimo: EUR 380,000 fine in May 2023 for processing health data without a valid legal basis and security failings.
  • Cegedim Sante: EUR 800,000 fine in September 2024 for unlawful processing of health data (transmitting health data to partners without proper anonymisation).

These precedents show that the CNIL is prepared to sanction healthcare sector actors. The potential amount of a fine for Viamedis and Almerys will depend on the investigation's conclusions, but the GDPR allows fines of up to 4% of annual worldwide turnover or EUR 20 million (whichever is higher).

The Legislative Response

The Viamedis-Almerys case has reignited the debate about health data security in France. Several initiatives emerged in its wake:

The CaRE programme. The Cybersecurite, acceleration et Resilience des Etablissements (Cybersecurity, Acceleration and Resilience of Healthcare Establishments) programme, launched in late 2023 by the Ministry of Health with EUR 750 million over 2023-2027, took on fresh urgency. The programme funds concrete measures: MFA, network segmentation, offline backups, cyber crisis exercises, and staff training.

Strengthened HDS requirements. The HDS (Hebergement de Donnees de Sante - Health Data Hosting) certification, mandatory for health data hosting providers, was updated in 2024 with strengthened requirements, including data localisation within the European Economic Area.

The NIS 2 Directive. The transposition of the European NIS 2 Directive into French law (initially planned for 2024, ultimately effective in 2025) extends cybersecurity obligations to a much broader range of entities, including in the healthcare sector. Third-party payment operators like Viamedis and Almerys would most likely fall within the scope of "essential entities" or "important entities" under NIS 2.

The MFA Lesson: How a Simple Measure Could Have Changed Everything

If a single takeaway had to be drawn from the Viamedis-Almerys case, it is this: multi-factor authentication would most likely have prevented the attack.

What MFA Is

Multi-factor authentication (MFA, or 2FA for two-factor authentication) adds a second verification factor to the password. Instead of logging in solely with a username and password (something you know), the system also asks for something you have (a phone, a physical key) or something you are (fingerprint, facial recognition).

The most common methods:

  • SMS code: a 6-digit code sent by text message to your phone. The simplest but least secure method (interception is possible via SIM swapping).
  • Authenticator app (TOTP): an app like Google Authenticator, Microsoft Authenticator, or Authy generates a temporary code every 30 seconds.
  • Physical key (FIDO2/WebAuthn): a USB or NFC key (YubiKey, Google Titan) that you plug into your computer. The most secure method, immune to phishing.
  • Push notification: a notification sent to your phone that you approve with a tap.

Why MFA Was Not in Place

The burning question: why had Viamedis and Almerys not enabled MFA on healthcare professional accounts in 2024?

Several hypotheses, documented by the specialist press:

User friction. Self-employed healthcare professionals - doctors, pharmacists, opticians - log in to the third-party payment portal dozens of times a day. Adding an extra authentication step at each login is seen as an operational burden. The argument is real but does not hold up against the risk: MFA solutions exist that only require verification on first login from a new device or location, without slowing down routine connections.

Technical debt. Third-party payment portals are often built on systems that are 10 or 15 years old. Adding MFA to legacy architecture can require significant modifications. But in 2024, SaaS-based MFA solutions can be integrated in a matter of weeks.

The absence of an explicit regulatory requirement. Before the incident, no regulation explicitly required third-party payment operators to deploy MFA. The GDPR refers to "appropriate technical and organisational measures" without listing specific controls. The ANSSI (Agence Nationale de la Securite des Systemes d'Information - France's national cybersecurity agency) recommends MFA in its guidelines, but its recommendations are not binding on private operators (they are binding on OIV - operators of vital importance).

What Has Changed Since

In the weeks following the incident, Viamedis and Almerys deployed MFA on their portals. The CNIL issued explicit recommendations to healthcare sector operators regarding enhanced authentication.

The takeaway is bitter: it took the compromise of 33 million people's data for MFA to be deployed. A measure that would have cost a few tens of thousands of euros to implement was neglected until a disaster made it inevitable.

To check whether your own organisation is exposed to basic email security flaws, test your domain free with our diagnostic tool.

Supply Chain Risk: When Your Vendor Becomes Your Biggest Vulnerability

The Viamedis-Almerys case illustrates a structural problem that every organisation must account for: supply chain risk.

You Do Not Choose Your Suppliers' Suppliers

When you take out supplementary health insurance with Malakoff Humanis, you do not sign a contract with Viamedis. You probably do not even know Viamedis exists. Yet your data passes through their system every time you present your health insurance card at the pharmacy.

This is the reality of the digital economy: every organisation depends on dozens, sometimes hundreds, of technical providers. Your company uses a payroll application, an HR management tool, a cloud host, an email provider - each of them potentially has access to sensitive data. And each of them has its own subcontractors.

Major Recent Supply Chain Attacks

The Viamedis-Almerys case is part of a series of attacks targeting the supply chain:

MOVEit (2023). The cybercriminal group Cl0p exploited a zero-day vulnerability in the MOVEit file transfer software, compromising more than 2,600 organisations worldwide, including France Travail (France's public employment service, formerly Pole emploi - 10 million people affected), Shell, British Airways, and the BBC.

SolarWinds (2020). Attackers (attributed to Russian intelligence services) injected malware into an update of the SolarWinds Orion monitoring software, compromising 18,000 client organisations, including US federal agencies.

Kaseya VSA (2021). The REvil group exploited a vulnerability in the Kaseya VSA remote management software to deploy ransomware at more than 1,500 organisations via the IT providers using the software.

The pattern is always the same: compromise one link in the supply chain to reach all of that link's customers. The more central the link, the more massive the damage.

How to Assess Supply Chain Risk

The GDPR requires data controllers (the supplementary health insurers in the Viamedis-Almerys case) to ensure that their processors offer "sufficient guarantees" regarding security (Article 28). In practice, this means:

Before signing the contract:

  • Request the provider's security audit report (SOC 2 Type II, ISO 27001)
  • Verify the authentication measures in place (is MFA mandatory?)
  • Evaluate intrusion detection and incident response procedures
  • Understand who has access to the data and at what level

During the relationship:

  • Conduct regular audits (at least annually)
  • Require notification of security incidents within strict timeframes
  • Verify that security measures are maintained and updated
  • Test incident response plans

In the contract:

  • Detailed and binding security clauses
  • Right to audit
  • Penalties for non-compliance
  • Notification obligation within 24 hours (the GDPR mandates 72 hours, but nothing prevents contractually requiring a shorter timeframe)

What Businesses Should Take Away from This Breach

The Viamedis-Almerys case is not an isolated incident. It is a symptom of a systemic problem: organisations managing sensitive data at massive scale with insufficient security measures. Here are the concrete lessons.

1. MFA Is a Prerequisite, Not an Option

In 2024, there is no acceptable excuse for failing to deploy MFA on access to systems containing personal data. It is the security control with the best cost-effectiveness ratio in existence.

Action: enable MFA on all sensitive access points this week. Start with administrator accounts and remote access, then extend to all users. The cost: a few euros per user per month. The payoff: blocking 99% of credential-compromise attacks.

2. Map Your Subcontractors and Assess Their Security

Most companies do not know how many subcontractors have access to their data. Take inventory. For every provider that processes personal or sensitive data: what data? What security measures? What is the plan in the event of an incident?

3. Limit the Volume of Exposed Data

The more data you store, the higher the risk in the event of a breach. Apply the GDPR's data minimisation principle: collect and retain only the data that is strictly necessary. Purge obsolete data. If Viamedis had limited database access to only active policyholder records, the number of victims would have been reduced.

4. Implement Anomaly Detection

A system that allows millions of records to be extracted without triggering an alert is a blind system. Invest in monitoring: alerts on unusual query volumes, detection of logins from unusual locations or devices, user and entity behaviour analytics (UEBA).

5. Prepare Your Incident Response Plan

When the breach comes (and it will), the speed of the response makes the difference. Do you have a written and tested incident response plan? Do you know whom to notify, in what order, within what timeframe? The CNIL, affected individuals, law enforcement?

6. Train Your Staff on Phishing

The compromised credentials at Viamedis and Almerys most likely came from phishing campaigns or password reuse. Regular training of staff - and especially those with access to sensitive data - is the first line of defence.

An awareness programme combining training and phishing simulations reduces click rates on malicious emails by 60 to 80% within 12 months, according to SANS Institute studies.

7. Secure Your Email Configuration

Is your domain protected against spoofing? SPF, DKIM, and DMARC are three DNS protocols that prevent attackers from sending emails that spoof your domain name. If an attacker can send an email pretending to be your company, your customers and partners are at risk. To understand and implement these protocols, see our guide on email security for SMBs: SPF, DKIM, and DMARC.

What Affected Individuals Should Do

If you are or have been covered by a supplementary health insurer in France, there is a strong chance you are among the 33 million people affected. Here are the concrete steps to take.

Check Whether You Are Affected

Your supplementary health insurer is required to inform you if your data has been compromised. If you have not received any notification, contact your insurer to confirm whether it uses the services of Viamedis or Almerys.

The main mutuelles and supplementary health insurers affected include (non-exhaustive list): Malakoff Humanis, Viasante Mutuelle, MGEN, Harmonie Mutuelle, MACIF, Carte Blanche Partenaires, and several dozen others.

Be Wary of Targeted Phishing

This is the most immediate and concrete threat. The attackers have enough information to mount highly convincing phishing emails.

Absolute rules:

  • Never click on a link in an email or text message claiming to come from your insurer or the Assurance Maladie in connection with this breach.
  • Never share your social security number by email, text, or phone with anyone who contacts you (even if they already know your number - that is precisely because they stole it).
  • Always access your insurer's member portal or Ameli by typing the address directly into your browser, never via a link received by email.
  • Check the sender's address: phishing emails often use lookalike domains (malakoff-humanis-securite.com instead of malakoffhumanis.com).

Monitor Your Accounts

  • Ameli statement: log in regularly to your Ameli account (ameli.fr) to check that the reimbursements shown correspond to care you actually received. An unfamiliar reimbursement may be a sign of fraud.
  • Insurer statement: perform the same check on your supplementary health insurer's online portal.
  • Bank statement: watch for unusual debits, particularly from healthcare organisations.

File a Complaint

The Paris public prosecutor's office has set up a streamlined complaint process for victims of the Viamedis-Almerys breach. You can file a complaint through the website cybermalveillance.gouv.fr, which provides a dedicated form for this incident.

Filing a complaint matters even if you have not yet detected fraudulent use of your data. It allows the authorities to measure the scale of the damage and focus investigative resources.

Strengthen Your Personal Security

  • Change your passwords on your insurer's website and on Ameli, using unique and complex passwords.
  • Enable MFA wherever possible, starting with your health accounts (Ameli, insurer portal) and your bank accounts.
  • Use a password manager (Bitwarden, 1Password, KeePass) to avoid password reuse.
  • Monitor your credit: in France, you can check your credit file free of charge with the Banque de France to detect any fraudulent loans.

Stay Vigilant Over Time

This is the hardest part. Stolen data does not expire. The social security number is permanent. Phishing and fraud attempts exploiting this data can surface months or even years after the initial breach. Vigilance must not fade after a few weeks.

The Case in Perspective: A Before and After

The Viamedis-Almerys case marks a turning point in how cybersecurity is perceived in France. Through its scale (33 million people, half the country), the type of data compromised (the NIR, a permanent identifier), and the simplicity of the flaw exploited (the absence of MFA), it condenses into a single incident all the dysfunctions that undermine data security in France.

What the Case Reveals About France's Digital Healthcare System

The French healthcare system is in the midst of full-scale digitalisation. The Dossier Medical Partage (DMP, now called "Mon espace sante" - a shared digital health record), the dematerialised Carte Vitale (e-carte Vitale, in trial), telemedicine, electronic prescriptions: everything is converging towards a fully digital, interconnected system.

This digitalisation is a step forward for patients and healthcare professionals. But it mechanically increases the attack surface. Every new interconnection is a new potential entry point. Every new system that stores or transmits health data is a potential target.

The Viamedis-Almerys case shows that technical intermediaries - the invisible companies that keep the plumbing of the healthcare system running - are links just as sensitive as hospitals or the Assurance Maladie itself. Securing the digital healthcare system cannot be limited to the visible actors: the entire chain must be secured, including the technical providers that nobody knows about.

The Regulatory Shockwave

The CNIL has toughened its tone in public communications following the case. The rollout of NIS 2 in France explicitly includes healthcare sector operators in its scope. The Ministry of Health's CaRE programme is accelerating funding towards MFA and network segmentation.

The regulatory trend is clear: the coming years will bring increasingly stringent security requirements for healthcare sector actors and their providers. Organisations that fail to anticipate this evolution expose themselves to sanctions and, more importantly, to incidents.

The Question of Liability

The case raises a fundamental question about liability in outsourcing chains. The mutuelles are data controllers under the GDPR. But they delegated the technical infrastructure to Viamedis and Almerys. If the processors failed to implement the necessary security measures, is liability shared?

The GDPR is clear on this point: the data controller remains responsible, even when outsourcing. Article 28 of the GDPR requires the data controller to use only processors that provide "sufficient guarantees." If a supplementary health insurer failed to verify that Viamedis or Almerys had MFA in place, it shares liability.

In practice, the mutuelles argue that they cannot audit every provider's security measures in detail. The argument is understandable but legally insufficient. The GDPR draws no distinction between organisations that have the means to verify and those that do not.

What Happens Next?

The criminal investigation is ongoing. The CNIL's investigation continues. The regulatory consequences are still unfolding.

For the 33 million French citizens whose data was exposed, the reality is simple: their social security number is potentially in the wild forever. No fine, no sanction, no regulatory reform will change that fact. Stolen data does not come back.

What can change is what organisations do today to ensure the next incident does not affect 33 million people. MFA, data segmentation, retention limits, user training, vendor assessments - these are not advanced cybersecurity measures. They are the bare minimum. And that minimum was not in place at the two operators that process third-party payment for half the country.

Do not repeat this mistake. Start by testing your email configuration security - it is free, it takes 30 seconds, and it is the first step to knowing where you stand.

Find this incident and over 100 others in our French cyberattack database.

Related articles

France Travail: 43 Million Records Stolen - A Complete Analysis

In-depth look at the France Travail breach of March 2024: timeline, stolen data, exploited vulnerabilities, consequences for 43 million victims, and lessons for businesses.

Cyberattacks on French Hospitals: An Alarming Track Record (2019-2026)

From the Rouen University Hospital to the Cannes Hospital, a complete timeline of cyberattacks against French hospitals. Costs, patient impact, the role of phishing, and the government's response.

Free, SFR, Orange, Bouygues: French Telecom Operators Under Siege from Cyberattacks

Full analysis of cyberattacks targeting French telecom operators: Free (19.2M customers), SFR, Orange, Bouygues, La Poste Mobile. Timeline, stolen data, IBAN fraud, SIM swapping, and protection measures.