A hacker calling himself “Janson2025” posted on an underground forum that he is selling a database containing more than 400,000 records of patients, doctors, and insurance companies related to the Spanish Hospital Group. In his announcement, he shared a sample of the data, and upon review, it was found that several entries match actual records dated between 2023 and June 2024.
This could mean that the security breach has not yet been closed. The leak affects at least the Mexico City and Pachuca locations, but it cannot be ruled out that it could compromise the seven hospitals that the group has operated since 1888.
To prove he was serious, the hacker shared a sample of the database. And yes, it includes everything: full names, CURP, RFC, phone numbers, emails, insurance policies, diagnoses such as “Suspected COVID,” and even internal notes such as “Type of insurance: Medical expenses” or “Report to the call center sending info every 24 hours.” It also includes treating physician codes, claim codes, authorized amounts, and account statuses.
In other words, more than enough to commit medical fraud, create false invoices, or even perform phantom surgeries in other people's names.
Indeed. In February 2025, a user with the alias “Barbara” posted on a hacker forum (BreachForums, which has since been shut down) that she had thousands of records allegedly stolen from the Spanish Hospital in Pachuca. They said they had cloned the server backups and shared fragments very similar to those circulating today: technical fields such as c_rfc, c_fcambio, and even internal usernames such as LRAMIREZ or CLADIAZM.
At the time, this case went largely unnoticed. But now, five months later, with a much larger leak and the same type of data, everything points to two possibilities:
Hospital Español was founded in 1888 by the Spanish community in Mexico as a small sanatorium to care for migrants from the Iberian Peninsula. Over the years, it grew to become one of the oldest and most important private healthcare groups in the country.
Today, it manages seven highly specialized hospitals in Mexico City, Pachuca, Puebla, Veracruz, Tampico, Torreón, and San Luis Potosí. All are connected through a technological network that shares data and systems with central servers located in Mexico City.
This interconnection has advantages: it streamlines procedures, allows files to be shared between locations, and helps reduce operating costs. But it also poses a major risk: a single intrusion can give the attacker access to the entire system, as seems to be happening.
Read more: Telegram Bot Sells Millions of Mexicans' Passwords
The leaked information is not insignificant. With this data in the wrong hands, the possibility of fraud is very real. Some of the most concerning risks are:
Insurance fraud: Someone could use authentic policies to make false claims or charge for services not rendered.
Extortion: Attackers could blackmail patients or families with sensitive details about hospitalizations, surgeries, or diagnoses.
Identity theft: Using CURP, RFC, and other personal data, it is possible to open phone lines, apply for credit, or commit other crimes.
Medical impersonation: The names and passwords of real doctors could be used to issue false prescriptions or sell controlled medications.
This case highlights how vulnerable the healthcare system can be, even in highly reputable private institutions. Hospitals must not only care for the physical health of their patients, but also ensure the security of their personal information.