Social security numbers, identities: 34 million health insurance records hacked?

In total, 34,228,598 personal files were allegedly stolen and put up for sale on the specialized forum PwnForums on June 1, 2026. This potentially represents the private data of nearly one in two French people. This would be one of the largest cyberattacks ever recorded in France.

A technical flaw and professional access mentioned

To break into the system, the hacker claims to have proceeded in two stages. He would have first recovered the digital identity of a healthcare professional via his e-CPS identifiers (the electronic authentication card for caregivers).

He then allegedly exploited an IDOR (Insecure Direct Object Reference) vulnerability, coupled with an escalation of privileges. This type of flaw allows access to unauthorized resources by simply modifying a parameter or identifier in a digital request, which would have allowed it to scroll and massively collect the files of millions of policyholders.

To support his statements, Lagui published screenshots of the professional interface of the DMP. As a sign of his intrusion, the hacker slipped his pseudonyms (XLAGUI and XMETAH) directly into the patient identity fields of the interface managed by Health Insurance, with an access date displayed as June 1, 2026.

Identity, social security and IBAN: the contents of the loot

According to Lagui's publications, the single file posted online contains complete and immediately usable identification information. The samples released show the presence of the following data:

- First and last names

- Sex

- Dates and departments of birth

- Complete postal addresses, postal codes and municipalities

- Email addresses and phone numbers

More serious, the social security number (NIR) would be present on approximately 80% to 85% of the files. Finally, financial details, including IBANs and bank BIC codes, would affect 30% to 40% of the files. A surprising point since the DMP does not store bank details.

Health Insurance delays, experts urge caution

If proven, the combined exposure of this civil status data, this unique identifier that is the social security number and bank details would expose victims to the risks of identity theft, highly personalized phishing campaigns and bank fraud.

Contacted by us, Health Insurance is cautious and awaits definitive analyses:

“The teams are currently carrying out investigations but certain information leads us to believe that this is false, however we must wait for the specialists to return to be certain. »

In fact, an important technical detail raises questions for cybersecurity monitoring specialists. The official DMP interface does not inherently store or display any banking details. The presence of IBAN in the file put up for sale therefore suggests another origin.

The hypothesis of a composite base is favored: the hacker could have associated identity data extracted from the DMP with banking data from another batch. The previous week, Lagui also claimed responsibility for data theft from Almerys, a third-party payment operator which precisely manages financial details and whose recent cyberattack exposed 15 million social security numbers.

The case was widely relayed by monitoring accounts on social networks, notably the site FrenchBreaches.com, administered by Sébastien F. (known on X under the pseudonym @Seblatombe).

However, as an investigation by Le Monde recalled last March, certain cyber influencers sometimes tend to relay criminal claims in an alarmist manner without prior verification, qualifying as critical incidents which is sometimes a bluff or the recycling of old databases.