The SafePay ransomware group has added Spanish healthcare provider Serveis Mèdics Penedès to its dark web leak portal, issuing a non-extendable 48-hour ultimatum to pay an undisclosed ransom or face mass publication of stolen data. The Catalan Data Protection Authority (APD) confirmed the listing on May 10, 2026, marking another high-pressure double-extortion attack on the European healthcare sector.

What Happened

SafePay published Serveis Mèdics Penedès on its leak site, confirming the attackers gained access to the company's internal systems. Founded in 1993 by Dr. Josep Panyella, Serveis Mèdics Penedès operates a network of medical centers across Vilafranca del Penedès, Vilanova i la Geltrú, El Vendrell, and Sant Sadurní d'Anoia. The group set a strict 48-hour countdown, after which it has threatened mass dissemination of the exfiltrated files. The Escudo Digital group has reached out to the company's leadership to verify the incident and assess containment measures.

What Was Taken

The exact volume of data exfiltrated remains unknown, and the company has not publicly confirmed whether patient medical records are among the stolen files. Given the nature of Serveis Mèdics Penedès' operations across multiple clinics, the breached environment likely contains protected health information (PHI), patient identifiers, billing data, staff records, and internal corporate documentation. The opacity around the dataset creates significant uncertainty for both patients and regulators about the true scope of exposure.

Why It Matters

Healthcare remains one of SafePay's priority targets due to the criticality and sensitivity of the data these institutions handle, which dramatically increases pressure to pay quickly. A breach of this scale at a regional Spanish provider underscores how mid-sized clinics are increasingly attractive targets: rich in regulated data, often under-resourced on security, and operationally unable to tolerate downtime. Under GDPR, exposure of health data carries severe regulatory consequences, and any leak would trigger mandatory notifications to the Spanish AEPD and affected data subjects.

The Attack Technique

SafePay first emerged in late 2024 and has built a reputation for speed: the time between initial network access and full system encryption can be under 24 hours, leaving defender response windows extremely narrow. The group operates a double-extortion model, exfiltrating data before deploying its encryptor and using leak-portal countdowns as psychological pressure. While the initial access vector for the Serveis Mèdics Penedès intrusion has not been disclosed, SafePay campaigns have historically leveraged exposed RDP, VPN credential abuse, and exploitation of unpatched perimeter appliances.

What Organizations Should Do

  1. Harden remote access: Enforce MFA on all VPN, RDP, and remote management interfaces; disable internet-exposed RDP entirely where possible.
  2. Patch perimeter aggressively: Prioritize firewall, VPN concentrator, and edge appliance vulnerabilities, which are frequent SafePay entry points.
  3. Segment clinical and administrative networks: Limit lateral movement between EHR systems, billing infrastructure, and corporate IT to slow the sub-24-hour encryption timeline.
  4. Deploy EDR with behavioral detection: Tune for rapid encryption activity, shadow copy deletion, and mass file modification typical of SafePay tooling.
  5. Test offline, immutable backups: Validate restoration playbooks against full-encryption scenarios, not just single-system recovery.
  6. Pre-stage incident response: Maintain retainer agreements with DFIR providers and legal counsel familiar with GDPR Article 33 and 34 notification timelines.

Sources: SafePay gives Serveis Mèdics Penedès 48 hours to pay the ransom or threatens to release stolen data