Hackers demand $700,000 ransom from Israeli hospital

Shamir Medical Center (Assaf Harofeh) was hit by a cyberattack apparently carried out by a group of hackers from Eastern Europe. The attackers issued a threat to publish patient information unless they receive a ransom payment of $700,000.

Ynet reported that several central hospital systems, including Chameleon (a medical records platform), temporarily stopped functioning during the attack. The Ministry of Health clarified that daily operations at the hospital continued as usual and that the systems have since returned to normal.

Assaf Harofeh hospital.

The hackers may have gained entry through a breach in the personal laptop of a support staff member at a computer security company. Chameleon is a medical records system that consolidates patient files and is used by numerous hospitals in Israel as well as some HMOs. Among its functions are issuing discharge summaries and prescriptions.

The Qilin group, which claimed responsibility, said it accessed as much as 8 terabytes of data, including sensitive medical information. The attackers gave the hospital 72 hours to pay the ransom or face public exposure of the stolen files. They also claimed to have compromised “hundreds of servers and endpoints” at the hospital. Their message even included references to senior government figures, including “Bibi and Sarah.”

Qilin messages.

According to the Ministry of Health and the National Cyber Directorate, the attempted attack was detected during Yom Kippur and was “thwarted in its initial stages.” Authorities are still investigating whether information was leaked. As a government medical center, Assaf Harofeh falls under the direct protection of the National Cyber Directorate.

The Qilin group is not typically linked to any state actor. It targets a range of victims worldwide, from hospitals to commercial firms, often framing its actions as activism while pursuing financial gain.

Gil Messing, Chief of Staff at Check Point, said Qilin has been active since 2022, initially under a different name, and is today considered one of the world’s most prominent ransomware organizations. “This year alone, they have listed 500 victims. They are based in Eastern Europe, work with partners worldwide, and their motive is economic - ransom,” he explained. “The model is called ‘double extortion’: they encrypt an organization’s systems, demand payment, and threaten to leak sensitive data to pressure compliance. This group is known for credibility: if they claim a hack, it should be assumed they succeeded.”

Messing added that the healthcare sector is among the most frequently attacked industries due to the sensitivity of medical records and the potential for disruption. “In Israel, an average healthcare organization faces nearly 2,400 cyberattacks each week, about 37% above the general average,” he said.

Hospitals have long been prime targets. In recent years, major medical centers such as Hillel Yaffe in Hadera, Mayanei Hayeshua in Bnei Brak, Rambam in Haifa, and Rivka Ziv in Safed have also been victims of cyberattacks.