Claimed insurance‑sector breach hits 200K records

A hacking group calling itself XP95 posted a claim that Nigeria’s NNPC Health Maintenance Organisation was breached, and breach-tracking sites logged the case on April 9 and April 10, 2026. One post tied the claim to about 200,000 user records and a ransom demand of $300,000 with an April 30 deadline. (dailydarkweb.net) (breachsense.com) NNPC Health Maintenance Organisation is not a random clinic website. It says it is a licensed health insurer under Nigeria’s National Health Insurance Authority and says it serves enrollees across Nigeria’s six geopolitical zones. (nnpchmo.com) (nhia.gov.ng) The records described in the breach claim read like the inside of an insurance card file cabinet. The sample fields listed by Daily Dark Web include full names, member numbers, employers, insurance plans, telephone numbers, dates of birth, expiration dates, and card status. (dailydarkweb.net) That mix matters because health insurance data is useful in more than one crime. A phone number plus date of birth can help with identity checks, and an employer name plus plan status can make phishing messages look real enough to fool a patient or a human resources desk. (dailydarkweb.net) (cert.gov.ng) XP95 is not appearing for the first time here. In March 2026, South African outlets linked the same group to breach claims involving the Gauteng Provincial Government and Statistics South Africa, with separate ransom demands and alleged data theft. (mybroadband.co.za) (itweb.co.za) That does not prove the NNPC Health Maintenance Organisation claim is genuine. Breach forums are full of recycled data, inflated numbers, and fake deadlines, and the public evidence so far is a criminal claim plus third-party breach listings rather than a confirmed disclosure from the company or Nigeria’s regulator. (breachsense.com) (dailydarkweb.net) (services.ndpc.gov.ng) Nigeria’s legal framework is built for exactly this kind of moment. The Nigeria Data Protection Act 2023 defines a personal data breach as unauthorized access, disclosure, loss, or alteration of personal data, and it puts breach duties on both the data processor and the data controller. (cert.gov.ng) (placng.org) If a breach is likely to put people at risk, Nigerian rules require notice to the Nigeria Data Protection Commission within 72 hours of awareness, and the commission runs a dedicated breach-reporting portal for that purpose. (dlapiperdataprotection.com) (services.ndpc.gov.ng) (ndpc.gov.ng) The bigger pattern is that insurers now sit on three kinds of high-value data at once: identity data, payment-linked data, and health-linked data. When one database ties those pieces together, attackers do not need millions of records for the breach to be dangerous; they need enough records to build convincing stories around real people. (nnpchmo.com) (dailydarkweb.net) (cert.gov.ng) Until there is a formal confirmation or denial, the safest reading is narrow and concrete: a named threat actor made a public claim on April 9, 2026, third-party trackers picked it up on April 10, 2026, and the alleged dataset contains exactly the kind of insurance and health-adjacent fields that criminals can turn into fraud fast. (dailydarkweb.net) (breachsense.com)