Romanian hospitals ransomware wave

In the early hours of 12 February 2024, a ransomware attack struck the Hipocrate Information System (HIS) — a hospital management platform used across Romania — encrypting patient and administrative data at 25 hospitals and forcing roughly 75 more to pull their systems offline. In total over 100 healthcare facilities were affected, in what Romania's cyber authority called one of the most disruptive incidents ever to hit the country's health sector.

What happened

The attackers deployed Backmydata, a variant of the Phobos ransomware family, against the production servers running HIS, software developed and operated by the Romanian vendor Romanian Soft Company (RSC). Because dozens of hospitals shared the same centrally-hosted platform, a single compromise cascaded across the network — a textbook third-party / supply-chain failure in critical infrastructure.

Symptoms first surfaced on 10 February at the Pitesti Pediatric Hospital, then spread overnight on 11-12 February. Some 400 computers and servers were encrypted. The ransom note demanded 3.5 BTC — about 157,000 euro (roughly 170,000 USD) at the time — for a decryptor and a pledge not to publish stolen data. It carried only an email address and named no group.

Impact

25 hospitals had data encrypted; about 75 additional facilities, including cancer, cardiology and pediatric centres, disconnected HIS as a precaution.
Affected hospitals reverted to paper records for prescriptions, admissions and documentation, slowing care for days.
The targeted sites ranged from major Bucharest hospitals to regional and emergency facilities.

Response

Romania's National Cyber Security Directorate (DNSC), together with national intelligence and police cyber units, led the response. Critically, the DNSC reported that most affected hospitals held recent backups — data saved one to three days earlier, with a single outlier at twelve days — which made recovery feasible without paying the ransom. Authorities publicly advised against payment and against negotiating with the attackers.

There was no confirmed exfiltration of patient data at the time of reporting; the incident was primarily an encryption-and-extortion event rather than a mass data leak. Hospitals restored HIS from backups over the following weeks.

Why it matters

The episode is a landmark national healthcare resilience case. It showed how a shared software platform can turn one ransomware infection into a country-wide outage, and how disciplined offline backups plus a no-pay policy can blunt extortion. It accelerated Romanian and EU scrutiny of cybersecurity obligations for healthcare providers and managed software vendors under the NIS2 Directive, and became a frequently-cited example of why centralised health-IT systems need segmentation, tested recovery, and vendor accountability.

Timeline

February 10, 2024

Symptoms of the intrusion first appear at the Pitesti Pediatric Hospital, the earliest publicly known affected site.

February 11, 2024

During the night of 11-12 February, attackers deploy the Backmydata ransomware against production servers of the Hipocrate Information System (HIS).

February 12, 2024

Romania's National Cyber Security Directorate (DNSC) confirms the attack; 25 hospitals have data encrypted and around 75 more disconnect HIS as a precaution.

February 12, 2024

Ransom note demands 3.5 BTC (about 157,000 euro / ~170,000 USD) for a decryptor and a promise not to leak data; it contains only an email address, no group name.

February 13, 2024

DNSC reports that most affected hospitals hold recent backups (1-3 days old, one 12 days old) and advises against paying the ransom.

February 19, 2024

Hospitals progressively restore HIS from backups; facilities continue operating on paper records during recovery.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ransomware-attack-forces-100-romanian-hospitals-to-go-offline/

therecord.mediahttps://therecord.media/romanian-hospitals-offline-after-ransomware-attack

securityweek.comhttps://www.securityweek.com/ransomware-attack-knocks-100-romanian-hospitals-offline/

darkreading.comhttps://www.darkreading.com/application-security/ransomware-epidemic-romanian-hospitals-tied-healthcare-app

theregister.comhttps://www.theregister.com/2024/02/14/romanian_hospital_ransomware_crisis/

Related incidents

RansomwareResolvedDecember 9, 2024

Electrica Group Lynx ransomware attack

The Lynx ransomware gang breached Electrica Group, one of Romania's largest electricity suppliers serving 3.8 million users, disrupting customer-facing services while SCADA and other critical grid systems were isolated and kept running.

Victim: Electrica Group

RansomwareResolvedMay 16, 2024

MediSecure ransomware attack

A ransomware attack on Australian e-prescription provider MediSecure exposed the personal and health data of roughly 12.9 million Australians — one of the country's largest breaches — and pushed the company into administration and liquidation.

Victim: MediSecure
Records: 12.9M

RansomwareContainedMay 8, 2024

Ascension Health ransomware attack

Black Basta ransomware crippled Ascension, one of the largest U.S. health systems, after an employee downloaded a malicious file. The attack forced 140 hospitals onto manual operations for weeks, diverted ambulances, and ultimately exposed the data of nearly 5.6 million patients.

Victim: Ascension
Loss: $1.80B
Records: 5.6M

RansomwareRansom paidFebruary 21, 2024

Change Healthcare ransomware (ALPHV/BlackCat)

ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.

Victim: Change Healthcare (UnitedHealth Group)
Loss: $2.87B
Records: 100.0M