Polmed Investigates Ransom Demand After Threat Actor Claims SAPS Medical Aid Data Breach

**TL;DR** Polmed confirmed receipt of a ransom demand claiming unauthorized access to member data on 25 March and has launched a forensic investigation with SAPS and the Information Regulator.

## Context Polmed, the medical scheme for South African Police Service employees and their dependants, reported the extortion‑type message to ITWeb on 25 March. The scheme is a closed entity governed by the Medical Schemes Act and holds combined identity, financial, and health records that are attractive to cyber criminals.

## Key Facts - Polmed said it received a ransom demand alleging a data breach on 25 March. - Principal officer Neo Khauoe stated Polmed is aware of alleged unauthorized access and is investigating with law enforcement to determine if any data was accessed and the extent. - The Information Regulator recorded 788 data breach notifications in South Africa during Q1 2026.

## What It Means If the claim is substantiated, the incident would add to a rising trend of health‑sector breaches in the region, where attackers exploit the high value of combined personal data for fraud and identity theft. Polmed’s reporting to the regulator under POPIA section 22 triggers a mandatory assessment of impact and potential remedial actions, while member notifications aim to mitigate downstream harm.

## Mitigations Organizations should review privileged access controls and enforce multi‑factor authentication to counter MITRE ATT&CK T1078 (Valid Accounts) abuse. Implement email security gateways to detect phishing (T1566) and apply patches for known VPN vulnerabilities such as CVE‑2023‑28252. Continuous monitoring for anomalous data exfiltration, coupled with regular offline backups, limits ransomware impact. Conduct tabletop exercises that simulate extortion scenarios to improve response coordination with law enforcement and regulators.

Watch for the regulator’s forthcoming breach notification details and any updates from Polmed’s forensic team regarding the scope of accessed records.