Back to Blog
high severity April 14, 2026 · scope unconfirmed

Caja De Seguro Social Listed by thegentlemen Ransomware Group

www.css.org.pa https://www.zoominfo.com/c/caja-de-seguro-social/455482072 www.css.gob.pa Caja de Seguro Social (CSS), the Panamanian Social Security Fund. The CSS is a public institution responsible for administering and governing the national social security and healthcare system in the Republic of Panama. Manages a network of hospitals and clinics nationwide, serving approximately 84% of Panama's population. 3TB of data, including pension, medical, and investment data. As gentlemen, we offered to pay a fair price for the mistake made, after which all data would be permanently deleted from

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed April 14, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On April 14, 2026, Panama’s Caja de Seguro Social appeared on the leak site of the ransomware group known as thegentlemen. The public institution responsible for the country’s social security and healthcare system had 3TB of internal files exfiltrated, including pension, medical, and investment data.

Confirmed Details of the Incident

Public reporting indicates that Caja de Seguro Social, which serves approximately 84 percent of Panama’s population through its network of hospitals and clinics, suffered a ransomware attack. The attackers extracted roughly three terabytes of sensitive records before encrypting systems or otherwise disrupting operations. The data was later published on the group’s leak site after the organization did not meet the attackers’ demands.

Available reporting describes the exposed information as containing pension records, medical details, and investment-related files. Exact victim counts remain unknown, but the breadth of the material suggests thousands of Panamanian families and workers may have personal, financial, and health information now circulating beyond institutional control.

Why This Matters for You and Your Family

When a national social security agency loses control of medical histories, pension files, and financial records, the consequences reach ordinary citizens. Your name, national identification number, address, health conditions, treatment history, and retirement savings data can be used for identity theft, fraudulent loan applications, or targeted scams. Families relying on these systems for healthcare and future income suddenly face heightened risk of long-term fraud that can take years to untangle.

Medical and pension data are especially damaging because they combine highly personal details with financial stakes. A single leak like this can fuel years of impersonation attempts, insurance fraud, or blackmail attempts against you or members of your household.

The Doxxing and Identity-Chain Implications

Credential leaks and internal documents from government agencies frequently become the starting point for doxxing chains. Attackers cross-reference leaked emails, phone numbers, or IDs with data from earlier breaches, gaming platforms, or social media to build complete profiles. Once your real identity links to usernames, children’s accounts, or shared family addresses, the exposure can cascade into harassment, account takeovers, or physical safety concerns.

Credential leaks like this one cascade into account takeovers and doxxing chains. Gaming accounts belonging to you or your children are particularly vulnerable because kids often reuse passwords or security questions derived from family information. A breach at a healthcare administrator can therefore endanger digital lives far beyond the original institution.

The Gentlemen Ransomware Group’s Track Record

Public reporting attributes the attack to thegentlemen, a ransomware operation that emerged in recent years and publishes victim data on dedicated leak sites when ransom is not paid. The group’s typical playbook involves initial access through common vectors such as phishing or unpatched remote services, followed by exfiltration of sensitive files and subsequent extortion demands. They publicly position themselves as offering “fair” payment options before releasing data, a rhetorical style common among several mid-tier ransomware actors. Notable prior victims have included organizations across Latin America and other regions, though comprehensive attribution remains limited.

What to do

  • Run a DoxxScan to map every link between your emails, phone numbers, government IDs, and real-world identity so you can break the chains before criminals exploit them.
  • Enable continuous DoxxScan monitoring across 15.4 billion breach records and more than 100 platforms so the next exposure of your family’s data is caught and addressed in hours rather than months.
  • Rotate any passwords you used at css.gob.pa or css.org.pa wherever they appear, replace them with unique passphrases, and secure every account with 2FA through an authenticator app rather than SMS.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which often chain back to the same addresses and family documents now at risk.
  • Let remediation specialists handle takedown requests for any exposed personal records appearing on data broker sites or underground forums.

The incident underscores that government agencies holding your most sensitive records remain prime targets, and waiting for official notifications leaves your family exposed. Start your DoxxScan trial today and combine continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, and hands-on remediation by specialists to protect every member of your household—including children’s gaming accounts that can become entry points for larger doxxing campaigns. DoxxScan by GalaxyWarden delivers exactly that layered defense.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.