Israel’s Shamir Medical Center was allegedly hacked by the Qilin ransomware group on Thursday. The seasoned hackers boasted of access to the hospital’s entire IT system and hordes of sensitive patient data.
-
The Qilin gang claims to have stolen 8TB of patient and hospital data from Isreal’s Shamir Medical Center.
-
The ransomware operatives issued a 72-hour ransom ultimatum, striking during Yom Kippur.
-
The Russian-linked cybercriminal group is currently the most active ransomware gang of 2025, with 570+ victims.
“We have successfully infiltrated and gained full access to your systems at Shamir Hospital, the largest medical facility in Israel,” Qilin posted on its dark victim blog Thursday, coinciding with the second day of Yom Kippur.
The ransomware group is claiming to have “exfiltrated approximately eight terabytes of sensitive and confidential data" from the hospital’s network systems.
It has given Israel’s premier teaching and research medical facility just “72 hours to respond and negotiate the terms.”
If Shamir hospital officials do not comply with the cybercriminals' demands, the gang threatens to leak the massive stolen cache on the web, in its entirety.
Cybernews has reached out to the Shamir Medical Center for comment, but has not heard back at the time of this report.
Hundreds of thousands of patient records at risk
The extreme amount of stolen data is purported to include the private health records of an unknown number of Shamir Medical patients, as well as the hospital's "internal communications and critical operational information."
Qilin provided just four file samples as proof of the alleged breach, a speck compared to the claim of eight terabytes of exfiltrated data.
The group also threatened that any attempt to involve law enforcement or cybersecurity experts would accelerate the release of the sensitive information.
“We demand a ransom payment to prevent this information from being publicly released,” Qilin writes, urging the healthcare facility to “take this matter seriously.”
“Failure to comply with our demands will result in the immediate publication of all stolen data, causing irreparable damage to your institution and compromising patient privacy,” it said.
Attacks on healthcare and medical facilities are considered especially heinous as patient care can be disrupted, with life-saving surgeries and procedures potentially postponed for extended periods of time, putting lives at risk.
Private medical records, when leaked, can not only embarrass the victim, but also cause reputational harm and possible employer discrimination. The leak of financial data and other personally identifiable information (PII) further put the victim at risk of identity theft, fraud, and targeted social engineering attacks.
The Shamir Medical Center (Assaf Harofeh), located about nine miles outside of Tel Aviv, runs at about 90% patient capacity all year long, providing "over 1 million residents in Israel's central region with state-of-the-art medical care and services," including in outpatient clinics and emergency services, its website states.
The hospital declares itself a “medical home base” for an economically and socially diverse community, which includes “Jews, Muslims, Christians, religious and secular communities, low and middle-income families, veterans, and immigrants from Ethiopia and the former Soviet Union.”
It's unclear if the self-proclaimed group of ransomware “idealists” – suspected to be of Russian descent – purposefully planned to attack the hospital on Yom Kippur – the Jewish Day of Atonement and one of the most significant of the religion’s high holy days. The holiday runs from sundown to sundown, October 1st and 2nd.
Qilin wins most active ransomware gang of 2025
Notorious for targeting hospitals and the manufacturing sector, the Qilin gang – once known as Agenda – first appeared on the ransomware circuit in 2022. However, its dark leak site claims it began operating in 2021.
With 84 victims listed since just the beginning of September, Qilin has moved itself into the number one position as the most active ransomware gang in the past 12 months, claiming roughly 572 victims, according to Cybernews' Ransomlooker monitoring tool.
Agressively outerforming ransomware rivals Play, INC Ransom, and newcomer DragonForce, a whopping 522 of those attacks appear to have taken place since January 2025.
The group, which is said to actively recruit affiliates on Russian language hacker forums, also avoids targeting Commonwealth of Independent States (CIS) countries, insinuating a Kremlin-aligned agenda.
Known for using a ransomware-as-a-service (RaaS) business model, the cybercriminal outfit often uses double extortion tactics on its victims, demanding a ransom for decryption and then a second payout to guarantee it will not leak the stolen files on the dark web after the fact.
Last making waves with two major hits in August, among myriad others, Qilin claimed responsibility for breaching Nissan Japan's design arm, Creative Box, and the American pharmaceutical research conglomerate Inotiv, allegedly stealing 176 GB of internal company files.
The big pharma corporation, which does research testing on animals, was fined $35 million by the US Justice Department in 2024 for egregious animal welfare violations.
Past Qilin victims include global energy and manufacturing giant SK Group, headquartered in South Korea, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, top North American auto parts suppliers Yanfeng in China, and the prestigious Utsunomiya cancer treatment center in Japan.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked