Mexico's IMSS data leak: 20 million pensioners exposed

Twenty million elderly people woke up in September 2025 to discover their deepest health secrets were being sold on the dark web. For the price of a used car ($2,800), criminals now had their names, home addresses, social security numbers, and medical conditions.

This wasn't a sophisticated cyber heist. It was something simpler and more terrifying: someone on the inside let it happen.

How it happened: an inside job

On September 12, 2025, journalist Ignacio Gómez Villaseñor broke the story that Mexico's IMSS (Instituto Mexicano del Seguro Social) had been breached. But this wasn't a typical hack. IMSS admitted the leak came from inside the organization: an employee with access to pensioner information decided to exploit it.

The government admitted it plainly: "posible filtración por uso indebido de acceso a información institucional por parte de personal" (possible data leak from misuse of institutional information access by staff).

This happens more often than you'd think. 70% of Mexico's government cybersecurity incidents come from employees, not external attackers. And the IMSS had no real safeguards: no data loss prevention systems, no alerts when someone downloaded massive batches of sensitive files. Just access, trust, and opportunity.

What was actually stolen

Here's what makes this different from other breaches. It wasn't just names and ID numbers. Criminals now have each person's medical conditions.

That's the devastating detail. If you're 75 years old and have diabetes, scammers know it. If you're a pensioner with heart disease, arthritis, or any chronic condition, criminals have that information matched to your real name, your real address, your real phone number.

The 1.4GB database included 20 million records. The hacker group Sc0rp10nn listed it on dark web forums. For just 50,000 pesos, anyone could buy the whole thing.

Why elderly people are the perfect target

Scammers don't randomly target phone numbers anymore. They're hunting strategically. An elderly person is vulnerable on their own. Many live alone. Many trust authority figures. And now criminals have a master key: real information that makes the scam feel legitimate.

Imagine your phone rings. A calm voice says, "Good morning Mrs. García. This is Dr. Morales from IMSS. We've been reviewing your diabetes treatment plan, and we need to update your bank account information to continue processing your pension and medication subsidies. Can you confirm your account number?"

That voice knows your name. They know you have diabetes. They know your address. Most people would believe them. Most people would give their banking details.

The scams you need to watch for

Post-breach, expect these specific attacks:

Fake IMSS pension calls. Scammers will call pretending to be from IMSS, mentioning your real NSS (social security number), and asking you to "confirm" or "update" bank information. They might claim your pension is at risk or that you need to process a medical benefit. They'll know details about your health that make the story stick.

Medical supply scams. "We're contacting patients with your condition. Our pharmacy has a new treatment that's 40% cheaper. We can ship it directly if you give us your insurance details." They know your diagnosis. It feels real.

Bank update scams. "Your bank has flagged unusual activity on the account linked to your IMSS pension. We need to verify your credentials." Again, they know who you are. Where you live. What hospital you go to.

What you can do right now

If you have elderly parents or grandparents in Mexico, talk to them this week. Don't panic them, but be direct.

Have a code word. Pick something only your family knows. Tell your parents, "If anyone ever calls and claims to be from IMSS, the bank, or a doctor, they need to say the word [your code word]. If they can't say it, hang up immediately." Make it something personal—a childhood nickname, an inside joke, a pet's name. Scammers won't know it.

Set the rule: never confirm personal details over the phone. IMSS, banks, and real doctors don't call asking you to confirm your account numbers or passwords. Not ever. If someone calls claiming to be from an authority, say, "I'll call you back at the official number." Then look up the real number yourself. Don't use any number they give you.

Enable message filtering on their phone. iPhones have a built-in filter for unknown senders. Android has Google's spam detection. Both work. Unknown numbers go to a separate folder. It's not foolproof, but it helps.

Watch for the real details. Scammers now know medical conditions, addresses, and IDs. Your parents should be extra suspicious of anyone who mentions real information. Real professionals don't need to prove they have your file by reciting it back to you—that's actually a red flag.

The bigger picture

This breach is a wake-up call for Mexico's government. 20 million people isn't a glitch. It's a failure. An employee with too much access, no audit trail, no download alerts, no safeguards. It's preventable.

But right now, it's done. And elderly pensioners are in the crosshairs. They've earned their retirement. They shouldn't spend it worrying that criminals know where they live and what diseases they have.

Stay vigilant. Talk to your family. And if you get a call from someone claiming to be an official authority, remember: they can always call back. You don't have to decide in the moment.

Related reading: Why blocking scam numbers doesn't work anymore — because scammers cycle through new numbers faster than any blocklist can keep up.