Update: The article and title have been revised to reflect the increasing number of impacted hospitals.
100 hospitals across Romania have taken their systems offline after a ransomware attack hit their healthcare management system.
The Hipocrate Information System (HIS) used by hospitals to manage medical activity and patient data was targeted over the weekend and is now offline after its database was encrypted.
While 25 hospitals have already been confirmed to have had their data encrypted by the attackers, 75 other healthcare facilities using HIS have also taken their systems offline as a precautionary measure while the incident is investigated.
“During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system. As a result of the attack, the system is down, files and databases are encrypted,” the Romanian Ministry of Health said.
“The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed. Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack.”
The ransomware attack affected various hospitals across Romania, including regional and cancer treatment centers, with a team of DNSC cybersecurity experts currently investigating the attack’s impact.
DNSC says the attackers used Backmydata ransomware to encrypt the hospitals’ data, a ransomware variant from the Phobos family.
“Most of the affected hospitals have backups of data on the affected servers, with data saved relatively recently (1-2-3 days ago) except one, whose data was saved 12 days ago,” DNSC said.
The attackers have sent a ransom demand of 3.5 BTC (roughly €157,000). However, the name of the group claiming the attack is not mentioned in the ransom note, only an email address.
Back to paper
Since the systems were taken offline or shut down, doctors have been forced to return to writing prescriptions and keeping records on paper.
“After 400 computers and servers were shut down, we worked mostly on paper,” Regional Institute of Oncology Iasi (IRO Iasi) manager Mirela Grosu told Agerpres.
“I mean we did continuous admission records on paper, day admission records on paper, we wrote medical test recommendations on paper. Everything is done on paper, just as we did years ago.”
“All servers have been shut down. The Internet has also been shut down, so there will be no loss, data leakage or anything else,” added systems engineer Florin Trandabăţ.
At the moment, there is no information on what ransomware operation encrypted the hospitals’ medical services management platform or if patients’ personal or medical data was also stolen during the incident.
RSC (Romanian Soft Company SRL), the software service provider behind the Hipocrate healthcare system, has yet to issue a public statement regarding this incident.
A RSC spokesperson was not available for comment when contacted by BleepingComputer via email and over the phone.
Update February 12, 11:29 EST: Added DNSC statement saying the hospitals had backups and the attackers used Backmydata ransomware
Update February 13, 05:43 EST: DNSC says four more hospitals have had their data encrypted bringing the total to 25, but there is currently no evidence of data theft.