Polmed is a closed medical scheme with membership limited to SAPS employees and their dependants.
Polmed, the medical scheme serving members of the South African Police Service (SAPS), is probing a suspected data breach after a threat actor issued it with a ransom demand.
The incident was confirmed to ITWeb by Neo Khauoe, principal officer of Polmed, following reports of a potential compromise.
Polmed is a closed medical scheme registered under the Medical Schemes Act, with membership limited to SAPS employees and their dependants.
The medical aid scheme received a direct claim of breach from the threat actor on 25 March, the principal officer reveals.
Khauoe adds that the incident originated in the context of an extortion-type communication from a threat actor.
Cyber criminals are increasingly targeting medical aid schemes because of the high value and sensitivity of the data they hold.
Healthcare records combine identity, financial and medical information, making them far more lucrative for fraud and identity theft than standalone financial data.
Says Khauoe: “Polmed is aware of allegations of unauthorised access to member information. The matter is currently the subject of an investigation and law enforcement process to determine whether any data was in fact accessed, and if so, to what extent.
“Until that work is complete, Polmed cannot responsibly confirm or deny the full extent of any breach, and it would be inappropriate to speculate.”
According to Khauo, the investigation is focused on determining the scope and impact of any unauthorised access, if confirmed.
She noted the organisation has reported the incident to the Information Regulator in terms of section 22 of the Protection of Personal Information Act (POPIA).
Under POPIA, organisations are required to report data breaches to the Information Regulator to ensure transparency, accountability and the protection of individuals’ personal information.
Reporting enables the regulator to assess the scope and impact of the breach, ensure appropriate remedial actions are taken, and, where necessary, guide organisations on mitigating harm.
It also helps to safeguard affected data subjects by ensuring they are informed of potential risks, such as identity theft or fraud, allowing them to take protective measures.
Khauo adds that Polmed has notified all its members, and will communicate directly with affected parties should the investigation reveal details of any breach.
“Determining the number of affected records, if any, is a key objective of the ongoing forensic investigation,” she tells ITWeb.
Khauoe says the scheme has implemented a range of security measures in response to the alleged cyber incident, without pre-empting the outcome of its investigation.
These include appointing independent cyber security and forensic specialists to probe and validate the allegations; reporting the incident to relevant authorities, such as the Information Regulator and the SAPS; and continuously reviewing and strengthening security controls and monitoring systems linked to its data environment.
Khauoe adds that as a precaution while the investigation continues, members have been urged to remain vigilant against potential fraud and identity theft.
She says members should treat unsolicited e-mails, SMSes or calls requesting personal or financial information with caution, verify any communication purportedly from Polmed through official channels, use strong and unique passwords with multi-factor authentication, and closely monitor bank and credit statements for suspicious activity.
She notes that members found to be at higher risk would be contacted directly with tailored guidance and support.
“Given the sensitivity of the alleged incident and the involvement of law enforcement and regulatory authorities, Polmed will limit engagement on this matter.”
The potential data breach at Polmed comes as South African companies are increasingly being targeted by cyber criminals, with a string of recent high-profile incidents underscoring the scale of the threat.
ITWeb recently reported that Standard Bank disclosed unauthorised access to client data, exposing sensitive information such as account numbers, business details and identification records, heightening risks of fraud and identity theft.
The bank’s subsidiary Liberty Group also confirmed a breach involving unauthorised third-party access to customer systems, with compromised data including personal information such as names and ID numbers.
Meanwhile, Statistics South Africa also fell victim to a cyber attack, after hackers accessed data from its systems and issued a ransom demand, highlighting vulnerabilities within government institutions.
JSE-listed Lesaka unit Adumo today assured its clients that no consumer data was breached during a cyber attack that apparently resulted in thousands of files being made available for sale on the dark web.
These incidents form part of a broader surge in cyber attacks across both public and private sectors, with hundreds of data breaches being reported in just the first quarter of 2026 alone.
The Information Regulator has raised concern about the increased number of data breach notifications it is receiving from local organisations.
The watchdog exclusively told ITWeb that from 1 January to 31 March, it received 788 data breach notifications from South African organisations.
