Medical Information Leaked After Hackers Breach Israeli Emergency Responders' Website

The hackers were able to obtain information about patients and other sensitive information after the Magen David Adom site was hacked

Medical information from the Magen David Adom website.
From the Magen David Adom website

Serious security breaches in the website of Magen David Adom, also known as MDA, have led to the leaking of identifying information about patients, sensitive medical information, financial information and even information on organization volunteers.

A so-called white hat hacker – who finds breaches to improve cybersecurity rather than to attack sites – revealed the information this week. The hacker, Eliel Hauzi, is a professional programmer and veteran of the army’s Encryption and Security Center who checks the security of websites in his free time. He said that he discovered the breach about a month ago. “It was a hack of leaking information,” he said. “By changing the parameters in the web page, it was able to obtain details of other patients: names, addresses, phone numbers, ID numbers and bills. Afterward, I also found medical documents, like if an ambulance paramedic said a person had AIDS.”

Hauzi was also able to find a way to see patients’ credit card numbers. “hacking was very easy,” he said, noting the weak spot was in MDA’s payment site. He said he wavered whether to tell the press and decided to just report the problems to MDA, which quickly closed the breach.

A month later, he discovered that through the volunteer site he could gain control of and download the entire database, and could rewrite code in order to shut down the system and disrupt ambulance service. He reported the problem to national authorities, to the Authority for the Defense of Privace and to MDA. In wake of the second breach, Magen David Adom took down all its websites this week.

Magen David Adom commented: “All MDA’s information systems are secured at very high levels using the most advanced technologies. Still, breaches are sometimes discovered as the level of hackers rises, and so when we were immediately informed of the breach, we took all the necessary steps.”

MDA stressed that “at no time was there any danger to the organization’s operational servers.”