Alan insurance data breach: what brokers need to know

Alan, the insurtech covering more than one million members in France, Belgium, Spain and Canada, has informed its policyholders of a personal data breach. Names, dates of birth, social security numbers, insurance contracts. The entire dataset is now for sale on the dark web.

Alan itself was not hacked. It was Almerys, their technical service provider handling third-party payments in France. But for policyholders, the distinction is invisible. It is Alan's name that appears in the alert email sent to all members. It is trust in Alan that takes the hit.

The balance claimed by the hacker: 44 million rows of data and 15.4 million unique social security numbers, potentially spread across 674 organisations served by Almerys. The full authenticity of the dataset has not yet been officially confirmed by Almerys. But this is the second time in two years that the company has been targeted. In late January 2024, an attack on Almerys and Viamedis exposed the data of 33 million people. The CNIL investigation opened at the time is still ongoing.

What actually happened

Almerys is a third-party payment processor. It is the technical company that handles the link between your health insurer and your doctor when you do not pay the full consultation fee upfront. An invisible intermediary that processes the data of millions of policyholders.

On Friday 22 May, Almerys notified its clients, including Alan, MGEN, Harmonie Mutuelle and AG2R, that a hacker had gained access to its systems. The hacker, known under the pseudonym "Lagui", claims to have encountered no two-factor authentication. The data reportedly covers a period from 2010 to 2026.

Alan reacted quickly: immediate notification to all members by email, alert to the ACPR (the insurance regulator), preparation of the CNIL notification. But the damage is done. Trust is built over years and lost in a single email.

What this means for Belgian brokers

Alan is an insurtech that distributes directly, without going through brokers. Your clients are not with Alan and you do not offer their products. So why discuss it?

Because the same scenario could play out identically with any insurer in your portfolio. AG, Ethias, Baloise, AXA, Vivium: they all rely on technical service providers for data processing, claims management and platform hosting. If one of those providers gets hacked, it is you, the broker, who stands on the front line facing the client. Not the insurer. You.

When a policyholder learns that their data has been leaked, they do not pick up the phone to call the insurer's head office. They call their broker.

Independence as protection

This is where the role of the independent broker takes on its full meaning. If you offer products from multiple insurers and one of them suffers a data breach, your credibility as a broker remains intact. You are not that insurer. You are the independent advisor who guides clients towards the best solutions.

A tied agent linked to a single hacked insurer suffers the same reputational damage as the insurer itself. The multi-insurer broker, on the other hand, can tell clients: "We have been informed, here is what we know, here is what we recommend." They stay in their advisory role.

That independence is also a structural safeguard. Your client data is not centralised with a single partner. If one provider goes down, you have alternatives. You do not depend on a single link in the chain.

Last Friday, we were talking about exactly this

In our latest video on LinkedIn, we told the true story of a brokerage firm in Walloon Brabant whose email account had been compromised. Hundreds of fraudulent emails were sent to every contact: clients, insurers, partners. One morning, everything falls apart.

The parallel with the Alan/Almerys case is striking. In both situations, a technical link in the chain fails. In both, trust takes the first blow.

In that video, we shared three essential reflexes: never turn off the machine (it contains the evidence), immediately warn your team and service providers, and change all passwords accessible from the compromised workstation. Simple reflexes, but ones that most firms only discover the day it is already too late.

What you can do now

A chain is only as strong as its weakest link. You cannot prevent an insurer or service provider from being hacked. But you can limit your exposure.

1. Diversify your partners. This is the foundation of the brokerage profession. The more insurers you work with, the less a breach at any single one affects your entire business and reputation.

2. Enable two-factor authentication everywhere. The Almerys hacker claims there was no two-factor authentication in place. It is the simplest and most effective measure. Professional email, CRM, insurer portals, management tools: enable it on everything.

3. Prepare a response plan. If tomorrow an insurer informs you of a data breach, do you know what to tell your clients? The GDPR requires notification to the supervisory authority within 72 calendar hours. Better to think through the procedure beforehand.

4. Keep your client data with you. Your CRM, your files, your notes: these are your tools, not the insurer's. If you centralise everything with a single provider and they get hacked, you lose control.

5. Communicate proactively. A broker who talks to clients about cybersecurity before an incident happens is a broker who shows they think ahead. Send an awareness email. Remind them of good practices. Your clients will know that you are watching out for them.

Trust is something you prepare

What truly protects you is structure. The broker's independence, the diversification of partners, and the ability to react quickly when something happens.

The next incident may not be in France. And the next name in the headlines may not be Alan. It could be an insurer you work with. On that day, the question will be: are you the broker who anticipated, or the one who discovers the problem at the same time as their clients?