Four Lebanese Hospitals Patient Records with Cleartext Passwords on Dark Web

• .What: Patient records from four Lebanese hospitals listed on dark web with live passwords.
• .Who: Patients of Bellevue, Nini, NDU Medical Center, and Haykel hospitals (2010-2021).
• .Data Exposed: Medical records, passport numbers, lab results, and cleartext passwords.
• .Outcome: Ministry of Public Health did not respond; no enforcement action taken.

In January 2025, dark web monitoring services identified listings on established criminal marketplaces containing patient databases from four Lebanese hospitals: Bellevue Medical Center, Nini Hospital, Notre Dame University (NDU) Medical Center, and Haykel Hospital.

The listings were not samples or partial extracts. They were complete database dumps spanning patient records from 2010 to 2021 - over a decade of clinical interactions across four separate institutions.

The most alarming element was not the patient data itself but what accompanied it: cleartext usernames and passwords for hospital information system accounts, including administrative credentials. These were not hashed passwords requiring offline cracking.

They were plaintext strings stored directly in the database, meaning anyone purchasing the listing gained immediate, live access to hospital systems.

The credentials included staff accounts with administrative privileges to patient record systems, enabling not just data theft but potential modification of medical records, prescription histories, and diagnostic results.

The involvement of four separate hospitals in a single disclosure suggests a common attack surface - either a shared IT infrastructure provider, a common healthcare management software platform, or a vulnerability in a system used across multiple Lebanese healthcare facilities.

The databases were listed by the same seller, and the data formatting was consistent across all four institutions, reinforcing the assessment that a shared technical dependency was compromised rather than four independent attacks occurring simultaneously.

The Lebanese Ministry of Public Health did not respond to the disclosure. No enforcement action was taken under Law No. 81 of 2018. No breach notifications were issued to affected patients.

As of the publication of this analysis, the cleartext credentials remain a live access vector to hospital systems that may not have been rotated.

• .Patient full names, dates of birth, and gender information across all four hospitals
• .Blood group classifications and medical file reference numbers
• .Laboratory test results including blood work panels, diagnostic imaging references, and pathology reports
• .Passport numbers and national identification data
• .Cleartext usernames and passwords for hospital information system accounts, enabling live unauthorized access
• .Staff account credentials including administrative access to patient record systems
• .Insurance information and billing records

The storage of passwords in cleartext is a fundamental security failure that has been considered unacceptable practice for decades.

The involvement of four separate hospitals suggests either a common IT infrastructure provider or a shared vulnerability in healthcare management software. The temporal span of 2010 to 2021 represents over a decade of patient interactions.

In Lebanese society, where medical privacy intersects with social, religious, and familial dynamics, the exposure of certain medical conditions can carry profound personal consequences.

This breach occurred seven years after the enactment of Law No. 81 of 2018. The Data Protection Authority mandated by the law has not been established. No implementing regulations have been issued.

Healthcare data receives specific attention under international frameworks; Lebanon's Law No. 81 establishes general principles that would require heightened protection for medical records.

Lebanon's medical professional secrecy obligations under the Penal Code (Articles 579-581) impose duties of confidentiality but are designed for individual practitioners, not systemic security failures.

Cleartext passwords in a database in 2025. This is not a failure of resources, budget constraints, or technical complexity. Password hashing has been standard practice since the 1970s.

The bcrypt algorithm has been available since 1999. The storage of credentials in plaintext is a decision - whether made through ignorance or negligence - that transforms a data breach into a live access breach. The four Lebanese hospitals did not just lose patient data.

They gave away the keys to systems that may still be accessible. Every control below addresses a specific failure that enabled this outcome.

The most immediate threat is that the cleartext credentials listed on the dark web may still provide live access to hospital information systems. Credential rotation must be treated as an emergency action, not a remediation step.

Every username and password pair exposed in the listings must be invalidated immediately across all four hospitals. All staff accounts - clinical, administrative, and IT - must be forced to reset credentials through a verified out-of-band process.

Service accounts with embedded credentials must be identified and rotated. Until rotation is confirmed complete, the assumption must be that unauthorized parties have active access to patient record systems, prescription management, and diagnostic databases.

The difference between rotating credentials within 24 hours of discovery and leaving them active for weeks is the difference between a historical data breach and an ongoing, real-time compromise.

All credential storage must be migrated to bcrypt, scrypt, or Argon2id with appropriate work factors. These algorithms are computationally expensive to reverse, meaning that even if a database is exfiltrated, the passwords remain protected.

Cleartext storage, MD5 hashing, and SHA-1 hashing without salting are all functionally equivalent to plaintext in terms of attacker effort required.

The migration path is straightforward: on each user's next successful login, the application re-hashes the credential using the target algorithm and overwrites the stored value. No downtime is required. No user action is needed beyond their next login.

This migration should have been completed decades ago.

The involvement of four separate hospitals in a single breach strongly suggests a shared IT dependency - either a common hospital information system (HIS) vendor, a shared managed service provider, or a common software platform deployed across all four institutions.

Identifying and securing that shared dependency is critical. If a single vendor or platform is the root cause, every other Lebanese hospital running the same system is equally vulnerable.

The shared vendor must be audited for the same cleartext credential storage pattern, and all instances of the platform must be assessed for identical vulnerabilities.

Healthcare facilities relying on third-party HIS platforms must include security requirements in procurement contracts - specifically mandating password hashing algorithms, encryption at rest for patient data, and annual penetration testing.

Lebanon's Law No. 81 of 2018 established a data protection framework seven years ago. The Data Protection Authority mandated by the law has never been created. No implementing regulations have been issued.

The result is a healthcare sector where four hospitals can store passwords in cleartext, lose a decade of patient records to the dark web, and face no regulatory consequence whatsoever.

In the absence of functioning regulatory enforcement, hospitals must adopt international healthcare security frameworks voluntarily - specifically HITRUST CSF or ISO 27799 for healthcare information security management.

These frameworks mandate credential hashing, access controls, encryption at rest, and incident response procedures that would have prevented every element of this breach.

Voluntary adoption is not ideal, but it is the only available path when the regulatory infrastructure does not exist.

Dark web marketplace analysis, SMEX Lebanon Privacy Report, Law No. 81 of 2018, Lebanese Medical Ethics Code, OWASP, Access Now