Full Report
Or Hadar reports: Clalit Health Services, the largest health maintenance organization in Israel, said it is investigating a suspected cyberattack after an Iranian-linked hacking group claimed it breached the insurer’s systems and published thousands of documents containing personal information of patients. The hacking group, calling itself “Handala,” has published thousands of documents online, including medical... Source
Analysis Summary
# Morning News Roll-up February 25, 2026
## Overview
Recent threat intelligence indicates a surge in state-sponsored and financially motivated cyber activity targeting critical infrastructure, healthcare, and telecommunications sectors globally. Key incidents include a major patient data breach in Israel and the evolution of ransomware tactics by North Korean state actors.
## Top Stories
### Iranian-Linked "Handala" Group Breaches Israel’s Largest HMO
- Summary: Clalit Health Services is investigating a significant breach after the "Handala" hacking group leaked thousands of sensitive medical documents. The leak includes "Form 17" payment authorizations, sick leave certificates, and personal data for over 10,000 patients.
- Source: hxxps://databreaches[.]net/2026/02/25/clalit-probes-suspected-cyberattack-after-iranian-linked-hackers-leak-patient-files/
### Lazarus Group Adopts Medusa Ransomware for Extortion
- Summary: The North Korean-linked Lazarus Group has reportedly integrated Medusa ransomware into its operations. This shift signals a continued move toward diverse extortion campaigns specifically targeting healthcare providers and non-profit organizations.
- Source: hxxps://databreaches[.]net/2026/02/24/lazarus-hackers-adopt-medusa-ransomware-for-extortion-campaigns-targeting-healthcare-and-nonprofits/
### Dutch Telecom Odido Faces 8-Million User Data Ransom Demand
- Summary: Threat actors have claimed a breach of the Dutch telecommunications company Odido, threatening to leak the personal information of approximately 8 million individuals unless a ransom is paid.
- Source: hxxps://databreaches[.]net/2026/02/24/hackers-threaten-to-leak-8-million-peoples-stolen-data-if-dutch-telecom-odido-wont-pay-ransom/
---
# Clalit Health Services Data Breach
Investigation into a suspected cyberattack and subsequent data leak involving Israel's largest health maintenance organization.
## Key Points
- Clalit Health Services (Israel) confirmed a suspected breach and subsequent data leak.
- The leak consists of thousands of sensitive documents, including medical referrals, payment authorizations (Form 17), and internal HR correspondence.
- Over 10,000 patients are estimated to be affected by the initial data release.
- The incident is characterized by a "hack-and-leak" operation, likely intended for psychological impact and geopolitical pressure.
## Threat Actors
- **Handala**: An Iranian-linked hacking group known for targeting Israeli entities.
- **Motivations**: Geopolitical influence and disruption, consistent with cyberwarfare activities.
## TTPs
- **Data Exfiltration**: Infiltration of internal document management or insurer systems to extract patient files.
- **Hack-and-Leak**: Publishing stolen sensitive materials on public forums/Telegram to cause reputational damage and social unrest.
- **Psychological Warfare**: Issuing public warnings of further leaks to maximize the impact of the breach.
## Affected Systems
- **Document Management Systems**: Systems housing "Form 17" payment authorizations and medical referral forms.
- **HR and Internal Communications**: Servers containing internal correspondence and employee personal details.
- **Patient Databases**: Exposure of personal information for at least 10,000 individuals.
## Mitigations
- **Data Encryption**: Ensure all patient records and sensitive forms are encrypted at rest and in transit.
- **Access Control**: Implement strict "Least Privilege" access to medical document repositories to prevent bulk exfiltration.
- **Network Segmentation**: Isolate patient data environments from general office networks and HR systems.
- **Monitoring**: Deploy behavioral analytics to detect the mass downloading or unusual movement of sensitive document types like medical certificates.
## Conclusion
The breach of Clalit Health Services by the "Handala" group represents a focused effort by Iranian-linked actors to weaponize healthcare data for geopolitical purposes. This incident highlights the high vulnerability of HMOs and the severe privacy risks associated with centralized medical records. Organizations in the healthcare sector should prioritize the monitoring of document management systems and prepare incident response plans specifically for "hack-and-leak" scenarios.