Key Points:
- Assaf Harofeh Medical Center (Shamir) hit by cyberattack during Yom Kippur
- Russian cybercrime group Qilin claims to have stolen 8 terabytes of sensitive hospital data
- Emails from September 25 containing patient medical information confirmed leaked
- $700,000 ransom demanded within 72 hours; hackers threaten to publish stolen data
- Core medical records system “Chameleon” reportedly uncompromised but investigations ongoing
- Attack exploited breach through private laptop of cybersecurity company support worker
- Ransom note personally addressed to Prime Minister Netanyahu and wife Sara
- Hospital operations continued without disruption despite attack
New Delhi: The Assaf Harofeh Medical Center, also known as Shamir Medical Center, in Beer Yaakov was targeted by a sophisticated cyberattack during Yom Kippur, one of Judaism’s holiest days. According to a joint statement from the Israeli Health Ministry and National Cyber Directorate released on October 2, the attack was “blocked in its initial stages,” though authorities confirmed that sensitive patient data was compromised.
Initial investigations revealed that emails sent to and from the hospital on September 25 were leaked, including medical information contained in those messages. However, officials stated there is currently no indication that data stored in the hospital’s central medical information management system, known as “Chameleon” (or Kamilion), was breached. Chameleon is a widely-used electronic medical records platform that consolidates patient files across multiple Israeli hospitals and health maintenance organizations.
Qilin Ransomware Group Claims Responsibility
The cyberattack was allegedly perpetrated by Qilin, a Russian-speaking cybercrime organization believed to operate from Eastern Europe. According to reports from Ynet, Qilin posted a message claiming to have successfully infiltrated the hospital’s systems and exfiltrated approximately 8 terabytes of sensitive data, including patient records, internal communications, and critical operational information.
The ransomware group issued a stark ultimatum demanding $700,000 within 72 hours, warning: “We have successfully infiltrated and gained full access to your systems at Shamir Hospital, the largest medical facility in Israel… Failure to comply with our demands will result in the immediate publication of all stolen data, causing irreparable damage to your institution and compromising patient privacy”.
Personal Threat to Israeli Leadership
In an unprecedented and provocative move, the ransom note was personally addressed to “Bibi and Sara,” referring to Prime Minister Benjamin Netanyahu and his wife. The message concluded with a threatening warning: “If you make another mistake you will be destroyed. Bye Bibi and Sara”. This personal targeting represents an unusual escalation in tactics by cybercriminal groups attacking critical infrastructure.
Attack Vector and Vulnerability
According to initial findings, the hackers exploited a security breach through the private laptop of a support worker at a cybersecurity company contracted by the hospital. The attack briefly disrupted Chameleon, the electronic medical records system used to issue medical visit summaries, prescriptions, and other patient documentation across multiple Israeli healthcare facilities. Despite the intrusion, hospital officials confirmed that all clinical operations remained unaffected and patient care continued without interruption.
Qilin’s Track Record of Hospital Attacks
This is not Qilin’s first assault on healthcare infrastructure. The group previously hacked into London hospitals in 2024, causing significant disruptions to tests and surgical operations. The organization’s pattern of targeting healthcare facilities during critical times demonstrates a calculated strategy to maximize pressure on victims to pay ransoms quickly.
Part of Broader Threat to Israeli Healthcare
The attack on Assaf Harofeh is part of an alarming pattern of cyberattacks targeting Israeli medical institutions. In recent years, Hillel Yaffe Medical Center in Hadera suffered a severe ransomware attack that forced staff to revert to manual operations and redistribute patients to other facilities. Approximately six months ago, Bikurofeh, a private clinic network serving Israeli soldiers and providing services to the Israel Defense Forces, was struck by a suspected Iranian cyberattack.
Government Response and Ongoing Investigation
The Health Ministry and National Cyber Directorate continue to work alongside hospital staff, cybersecurity experts, law enforcement, and government agencies to assess the full scope of the breach. The hospital has been directed to tighten cybersecurity protocols, limit access to sensitive systems, and remain vigilant for further intrusion attempts. As a government hospital, Assaf Harofeh falls under the direct protection of the National Cyber Directorate.
Authorities have emphasized implementing stronger defenses including stricter access controls, network segmentation, secure backups, and real-time monitoring systems. Training medical staff in basic cybersecurity hygiene has also become a priority following this incident.
