Clalit Health Services, the largest health maintenance organization in Israel, said it is investigating a suspected cyberattack after an Iranian-linked hacking group claimed it breached the insurer’s systems and published thousands of documents containing personal information of patients.
The National Cyber Directorate is also examining the incident.
Clalit said in a statement that the matter was being “immediately and thoroughly examined by Clalit’s information security and cyber experts.”
“Upon receiving the report, monitoring and response mechanisms were activated, and proactive and preventive actions are being carried out to strengthen defenses, alongside a comprehensive professional review to assess the reliability and scope of the published information,” the statement said. “Clalit’s information systems and services are operating as usual and in full. The incident has been reported to all relevant authorities, including the Privacy Protection Authority, the National Cyber Directorate and the Health Ministry, and we are working transparently and in full cooperation with them.”
The hacking group, calling itself “Handala,” has published thousands of documents online, including medical referral forms known as “Form 17” — a payment authorization required for certain treatments — sick leave certificates, test referrals and internal correspondence. Some of the materials appear to include personal details of patients and Clalit employees, as well as communications with the human resources department.
In a statement posted online, the group claimed it had exposed sensitive medical information belonging to more than 10,000 patients and warned of further action. The authenticity and full scope of the leaked materials could not be independently verified.
Gil Messing, chief of staff at cybersecurity firm Check Point, said Handala is affiliated with the Iranian regime and has previously claimed responsibility for several high-profile cyber incidents, including breaches of politicians’ Telegram accounts.
“During periods of heightened security tensions with Iran, the group tends to escalate the publication of materials or claims of attacks in order to undermine the public’s sense of security,” Messing said. “Based on past experience, when they say something happened, usually something did occur, but not necessarily at the scale they describe. There is often a degree of exaggeration.”
The reported breach follows a cyberattack about four months ago on Shamir Medical Center, also known as Assaf Harofeh Medical Center. That attack, attributed to a hacking group from Eastern Europe, involved a ransom demand of $700,000 and threats to publish patient information. The Health Ministry at the time acknowledged concerns over a possible data leak and said initial findings indicated that emails sent to and from the hospital, including medical information, had been exposed.