We are tracking exposed credentials for your staff on stealer logs and combo lists — the exact entry point behind the ransomware that has shut Belgian hospitals down — alongside live fakes of your patient services. The leak is the precursor; the encrypted EMR is the consequence.
Five findings, in order of how much they should worry you. Every one is backed by defanged, independently verifiable evidence later in this brief.
Hospital ransomware almost never starts with the ransomware. It starts weeks earlier, with a single staff credential captured by an info-stealer on a home device or sold in a combo list. We are tracking a fresh set referencing your domain — valid-looking logins for clinical and administrative staff. On their own they look harmless. To an access broker they are the front door, and they price accordingly.
How one exposed credential becomes a hospital-wide outage — and where the only cheap intervention is.
The cheap intervention is stage 01: a forced reset on an exposed credential costs minutes. Every stage after it costs clinical capacity. This is why credential-exposure monitoring is an operational-resilience control, not an IT nicety.
Highest-risk first — the credential exposure and the patient-facing fakes. Full sets available to your security team on request.
| Finding | Type | Source | Risk | Observed |
|---|---|---|---|---|
| CE-2606-01 · ~640 staff records info-stealer log referencing @sample-hospital[.]be | credential set | closed channel | 90 | 3 Jun 2026 |
| mijn-sample-hospital[.]example/aanmelden cloned patient portal · eID / itsme harvest | URL | phishdb | 84 | 5 Jun 2026 |
| ehealth-sample-hospital[.]example fake eHealth / appointment login | domain | krogza | 78 | 5 Jun 2026 |
| CE-2605-04 · ~1,300 records combo-list mentions of the hospital domain | credential set | combo list | 72 | 28 May 2026 |
| + 93 further fakes & mentions | phishdb 61 · krogza 24 · closed channels 8 — full set on request | full | ||
Leaked hospital credentials are not random noise — they feed a market. Info-stealers and combo lists supply access brokers, who package and sell a working way in to ransomware affiliates. Monitoring the supply side lets you reset a credential before it is ever bought.
Healthcare is the CCB’s most visible enforcement priority, and the threat is rising: Belgian incident reports were up nearly 70% in 2025. Hospitals are classified as essential entities, which means the strictest obligations and the highest penalties — and, after the 2026 incidents, board-level attention.
max fine of turnover (or €10M) — fines apply, unlike public administrations.
rise in Belgian NIS2 incident reports across 2025.
essential entities must proactively evidence their measures to the CCB.
Every finding here carries its chain of custody — captured from an EU source, SHA-256 hashed, timestamped. That makes it reporting-grade for the CCB notifications and usable as evidence of your risk-management measures under CyberFundamentals. The same monitoring that prevents the incident also evidences your compliance.
evidence for the CCB 24h / 72h / 30-day notifications via Safeonweb@Work.
continuous external-threat monitoring & measurement for essential-level verification.
eIDAS-qualified RFC 3161 timestamps make findings independently verifiable.
This brief is one point in time. It cannot show the credential leaked tonight or the fake portal registered tomorrow. Continuous, managed monitoring — no SOC required — turns a snapshot into a closed window, with a forced-reset trigger the moment a staff credential surfaces.
This brief is a passive-OSINT snapshot. On a call I’ll walk through the exposed credentials and every fake of your patient services, and show how PhishNet keeps you monitored — fully managed, EU-sovereign, self-hosted, no data leaving the EU.