-
A malicious actor has listed an alleged database from IMO360, a Spanish health management platform, on a dark web forum for sale.
-
The cybercriminal claims to hold 373,210 records and has handed the company an ultimatum: pay the ransom before April 30 or watch the data go to the highest bidder.
-
Medical records remain among the most valuable assets on the digital black market, making this breach especially dangerous if confirmed.
A new data leak has once again put the digital health sector under pressure. A malicious actor has posted an advertisement on a dark web forum, claiming to sell a stolen database belonging to IMO360; a Spanish software tool designed for health management used by clinics, hospitals, and medical centers across the country.
The cybercriminal claims to have successfully extracted the platform’s complete database, which allegedly contains 373,210 files. The post includes a description of the company alongside samples of the stolen data, which the actor uses to establish credibility on the forum.
Hacker Sets April 30 Deadline for Ransom Payment
The cybercriminal has attached a clear ultimatum to the listing. The actor demands that IMO360 pay a ransom before April 30. If the company fails to meet the deadline, the hacker will sell the stolen information to the highest bidder. The public till now don’t know the demanded amount.
IMO360 is a SaaS (software as a service) platform that clinics, hospitals, and medical centers use to centralize critical functions. These include electronic medical records, appointment scheduling, billing, and patient communication.
The platform belongs to STACKS (Stacks Consulting and Software Engineering) the Spanish subsidiary of Cegedim Group, a technology company with deep roots in healthcare solutions.
The nature of the data that IMO360 handles makes this incident especially sensitive. If confirmed, this breach could expose personal data, medical records, and administrative information belonging to thousands of patients. Such an exposure would carry serious legal and reputational consequences for the company.
Medical Records Sit at the Top of the Dark Web’s Most Wanted List
Cybercriminals consistently prioritize medical data above other types of stolen information, and for a clear reason. Unlike passwords or bank card numbers, no one can easily cancel or change medical records.
A patient cannot simply “reset” their health history. This permanent nature makes medical data a high-value, long-shelf-life asset on underground markets, and it commands premium prices from buyers who exploit it for fraud, identity theft, or targeted extortion.
The consequences of this demand are devastating, a Columbia medical practice was recently hit by a ransomware attack that exposed the Social Security numbers of thousands of patients, demonstrating that healthcare providers of all sizes are prime targets for cybercriminals seeking permanent, valuable medical data that can be exploited for years.
This latest incident adds to a growing pattern targeting the healthcare technology sector. Earlier this year, ransomware actors hit a medical software firm in the United States, affecting three million Americans.
The Eholo software platform for psychologists also suffered a serious data leak, exposing sensitive patient information. Cybercriminals continue to identify healthcare software as a soft target; one that holds enormous volumes of sensitive data but often lags behind other industries in cybersecurity investment.
No Official Confirmation Yet as Investigation Remains Open
At this stage, no official confirmation from IMO360 or its parent company Cegedim Group has surfaced regarding the real scope of the attack or the authenticity of the published data.
Cybersecurity experts caution that dark web listings do not always represent fresh breaches. Some actors recycle older data compilations or combine previously leaked databases to manufacture the appearance of a new attack.
The possibility remains that the published samples represent false information or a repackaging of prior leaks. However, the specificity of the claim (including the precise record count and the company description) keeps the threat credible enough to warrant serious attention.
Digital Shield has reached out to Cegedim Group’s press officers to determine what actually happened and will update this report upon receiving a response.
What this incident reinforces, regardless of the outcome, is a hard truth the digital health sector can no longer ignore. Cybercriminals have identified healthcare software as a high-reward target.
Companies that manage patient data must treat their security infrastructure with the same urgency they apply to patient care; because when that data falls into the wrong hands, the patients ultimately pay the highest price.
