Back to Blog
high severity May 06, 2026 · scope unconfirmed

smp.cat Listed by safepay Ransomware Group

Is a private healthcare organization based in Catalonia, Spain, operating in the Hospitals & Physicians Clinics sector. Founded in 1993 …

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed May 06, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On May 6, 2026, the ransomware group Safepay added smp.cat to its leak site and began publishing internal files stolen from a private healthcare organization based in Catalonia, Spain. The breach affects patients, employees, and anyone whose medical or personal records were stored by the company, which operates in the Hospitals & Physicians Clinics sector and was founded in 1993.

Confirmed Facts from Reporting

Public reporting indicates that Safepay claims to have exfiltrated internal files during a ransomware attack on smp.cat. The exact number of individuals impacted remains unknown, and the precise volume or sensitivity of the stolen data has not been independently verified. Available reporting describes the incident as a classic ransomware operation in which the attacker first gains access, encrypts systems, and then threatens to release the stolen information unless a ransom is paid.

Internal files were taken, though the specific types of records — such as patient names, medical histories, insurance details, or employee information — have not been publicly detailed. The leak site posting appeared on an onion domain tracked by ransomware.live, confirming the group’s public claim of responsibility.

Why This Matters for You and Your Family

When a healthcare provider loses control of internal files, the information exposed is among the most sensitive data that exists about you. Medical records can reveal chronic conditions, mental health history, prescriptions, and family relationships. Once that data reaches the open web or dark-web marketplaces, it never truly disappears. Criminals can use it to commit identity theft, file fraudulent insurance claims, or pressure family members with embarrassing details.

Patients in Catalonia and beyond whose records were held by smp.cat now face an elevated risk that lasts for years. Even if you were not directly treated there, shared insurance policies or household members could still place your family in the exposure chain. The breach underscores how quickly a single provider’s security failure can ripple into your daily life.

The Doxxing and Identity-Chain Implications

Medical data rarely travels alone. A leaked patient file often contains email addresses, phone numbers, dates of birth, and sometimes Social Security or national identification numbers. These pieces act as anchors that link disparate online accounts together. Once criminals map one handle to a real person, they can pivot to gaming platforms, social media, financial apps, and more.

Credential leaks like this one cascade into account takeovers. A child’s gaming username tied to a parent’s email from the healthcare breach can become the entry point for harassment or further extortion. The chain grows quickly: an exposed email leads to a reused password, which leads to a compromised social account, which reveals home addresses and photographs. What begins as a healthcare incident can end in full doxxing of you and your children.

Safepay’s Publicly Known Track Record

Public reporting attributes Safepay with emerging in late 2024 or early 2025 as a ransomware-as-a-service operation. The group has targeted organizations across Europe and North America, with prior victims including manufacturing firms, local governments, and other healthcare providers. Its typical playbook involves initial access through phishing or exploited remote desktop services, followed by data exfiltration, encryption of victim systems, and dual extortion: demanding payment to decrypt files and a second sum to prevent publication of stolen data.

The group maintains a leak site where it posts samples of stolen files as proof of compromise, applying pressure through timed deadlines and incremental data dumps. While exact success rates are difficult to confirm, public trackers show Safepay consistently follows through on publication when ransom demands go unmet.

What to do

  • Run a DoxxScan to map every link between your emails, phone numbers, usernames, and real-world identity so you can see exactly what chains back to the smp.cat breach.
  • Rotate the password used at smp.cat anywhere it is reused, and immediately enable two-factor authentication through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your family is caught in hours, not months.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which often become the weakest link in doxxing chains.
  • Let remediation specialists handle takedown requests across data brokers and leak sites while you focus on securing your own accounts.

The smp.cat breach is a reminder that healthcare data breaches continue to accelerate and that waiting for notification letters leaves your family exposed for months. Taking deliberate steps now can break the identity chains before criminals exploit them. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today to regain control of what has already leaked and to stay ahead of what comes next.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.