Viamedis and Almerys 2024: 33M French Health Records Breached
Two Operators, One Problem
Late January 2024: Viamedis and Almerys, two third-party payment operators that manage healthcare reimbursements for numerous French mutual insurance companies, are victims of nearly simultaneous cyberattacks.
February 1, 2024: Viamedis confirms the intrusion. On February 2, Almerys follows.
February 6, 2024: CNIL publishes a statement indicating that data of more than 33 million people is potentially affected.
Data Compromised
For policyholders and their families: civil status, date of birth, social security number, health insurer name, and contract guarantees. Banking data, medical data (diagnoses, treatments), and contact information (address, phone, email) were not affected according to the operators.
The social security number combined with health insurance information is particularly sensitive. It enables highly targeted phishing attacks (fake reimbursements, fake insurance companies).
Attack Vector
The attack exploited healthcare professional credentials. Attackers compromised practitioner accounts that had access to the third-party payment portals. With these credentials, they queried the systems and extracted policyholder data.
Critical points:
Regulatory Context
Health data receives enhanced protection under GDPR (Article 9). Processing is in principle prohibited except for specific exceptions. Third-party payment operators are subject to enhanced security obligations, particularly under France's Health Data Hosting (HDS) framework.
CNIL launched investigations to verify whether security measures in place were compliant with regulatory obligations.
Impact on Victims
33 million people affected, nearly half the French population. Stolen data enables phishing campaigns exploiting healthcare themes (fake reimbursements, fake appointments). The social security number combined with civil status facilitates identity theft.
Lessons
Multi-factor authentication for healthcare professionals is non-negotiable. A simple login/password to access 33 million records is insufficient.
Access segmentation is critical. A Parisian practitioner does not need access to records of policyholders in Marseille.
Real-time monitoring of health data access is an obligation, not a bonus. Abnormal extraction volume must trigger an alert and automatic blocking.
Third-party payment is a critical, often overlooked link. Organizations focus on their own system security but forget that intermediaries like Viamedis and Almerys have access to massive data volumes.
A security audit of your healthcare systems must cover the entire chain, including third-party providers. CleanIssue identifies these weak points during its assessments.
The Viamedis and Almerys incident is a textbook example of supply-chain risk in healthcare. Even organizations with strong internal security posture can be exposed through third-party processors that handle data at scale. Vendor security assessments and contractual security requirements are no longer optional for any entity handling health data under GDPR.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
France Travail 2024: 43M French Citizens Leaked, What Really Happened
Technical breakdown of the France Travail data breach in 2024: how 43 million records were exposed, timeline, and lessons learned.
Equifax 2017: 147M Americans Exposed by an Unpatched Apache Struts CVE
How a known, unpatched CVE in Apache Struts enabled the largest financial data breach in American history.
Okta 2022 and 2023: When the Identity Provider Gets Hacked
Two major Okta compromises in two years. Analysis of vectors, impact on customers, and lessons for identity provider security.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.