Hillel Yaffe Medical Center ransomware attack

On 13 October 2021, the Hillel Yaffe Medical Center in Hadera, Israel, was hit by DeepBlueMagic ransomware that locked every computer system in the hospital. The attack — one of the most damaging on Israeli healthcare to date — forced a 1,000-bed general hospital to fall back on paper for weeks and took roughly two months to fully resolve.

What happened

DeepBlueMagic, a strain first seen in the wild in August 2021, is notable for abusing legitimate encryption tooling: it leverages a third-party disk-encryption product and Microsoft BitLocker to lock drives, which helps it evade conventional anti-malware detection. The attackers are believed to have gained entry by exploiting a vulnerability in a Pulse Connect Secure VPN appliance.

Once triggered, the ransomware encrypted systems across all levels of the hospital, leaving staff unable to log in to clinical or administrative applications. The hospital reverted to manual, paper-based workflows, postponed non-urgent elective procedures, and rerouted some incoming patients to neighbouring facilities.

Impact

A peer-reviewed clinical study of the incident found measurable operational disruption: average hospital occupancy fell from about 83% to 64%, and surgical and emergency activity dropped sharply in the first days before gradually recovering.
Time-critical services — heart catheterisations, births and core outpatient care — were largely sustained, a testament to staff improvisation under degraded conditions.
Recovery was staged over roughly eight weeks: laboratory systems came back first, followed by radiology, then the electronic medical record, with full restoration including email by around week eight.

Attribution and the ransom question

Israeli Health Ministry cyber officials assessed the attackers as likely China-based with a purely financial motive — distinct from the Iran-linked, ideologically driven campaigns hitting Israel around the same period. Crucially, as a government-owned hospital, Hillel Yaffe was legally prohibited from paying the ransom, forcing it to rebuild rather than buy back access.

Why it matters

The Hillel Yaffe attack is a defining example of ransomware as a patient-safety issue. It showed that even when no data is publicly leaked, the denial of access to clinical systems can degrade care across an entire hospital for weeks. The incident — and the parallel wave of attempted attacks on other Israeli hospitals that same week — pushed Israel's health system to accelerate network segmentation, offline backups and VPN patching, and it remains one of the most rigorously documented studies of a hospital cyberattack's real clinical impact.

Timeline

October 13, 2021

DeepBlueMagic ransomware encrypts Hillel Yaffe Medical Center's systems, locking staff out of every digital system across the hospital.

October 13, 2021

The hospital switches to manual, paper-based operations and reroutes some patients; non-urgent elective procedures are postponed.

October 17, 2021

Israeli media report Hillel Yaffe 'paralysed'; authorities warn of a broader wave of attempted attacks on Israeli healthcare entities.

October 20, 2021

Health Ministry cyber officials assess the attackers as likely China-based with a purely financial motive; as a government hospital, Hillel Yaffe is barred from paying.

December 8, 2021

After staged restoration of lab, radiology and electronic medical record systems, the hospital reaches full recovery roughly eight weeks after the attack.

Sources

govinfosecurity.comhttps://www.govinfosecurity.com/ransomware-attack-on-israeli-medical-center-raises-alarm-a-17740

varonis.comhttps://www.varonis.com/blog/deepbluemagic-ransomware

pmc.ncbi.nlm.nih.govhttps://pmc.ncbi.nlm.nih.gov/articles/PMC10904636/

jpost.comhttps://www.jpost.com/breaking-news/cyberattack-attempts-towards-israeli-hospitals-thwarted-682221

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

RansomwareResolvedAugust 1, 2021

Lazio Region ransomware attack

A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.

Victim: Regione Lazio

RansomwareContainedMay 14, 2021

HSE Ireland ransomware (Conti)

Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.

Victim: Health Service Executive (HSE) of Ireland
Loss: $130.0M
Records: 700.0K

RansomwareContainedMay 14, 2021

HSE Ireland Conti ransomware national healthcare shutdown (2021)

Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded €100 million.

Victim: Health Service Executive (HSE) of Ireland
Loss: $110.0M