21 hospitals in Romania go offline after ransomware attack

At least 21 hospitals in Romania were knocked offline after a ransomware attack took down their healthcare management system.

The Hipocrate Information System (HIS) used by hospitals to manage medical activity and patient data was targeted over the weekend and is now offline after its database was encrypted.

“During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system. As a result of the attack, the system is down, files and databases are encrypted,” the Romanian Ministry of Health said.

“The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed.

“Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack.”

The ransomware attack affected various hospitals across Romania, including regional and cancer treatment centers, and a team of DNSC cybersecurity experts is currently investigating the cyber incident.

DNSC advised against reaching out to affected hospitals’ IT teams “so they can focus on restoring IT services and data.”

The list of impacted hospitals has been updated following an update shared by the DNSC after the article was published and it includes:

• Pediatric Hospital Pitesti
• Buzău County Emergency Hospital
• Slobozia County Emergency Hospital
• “Sf. Apostol Andrei” Emergency County Clinical Hospital Constanta
• Pitești County Emergency Hospital
• Military Emergency Hospital “Dr Alexandru Gafencu” Constanta
• Institute of Cardiovascular Diseases Timișoara
• Emergency County Hospital “Dr Constantin Opriș” Baia Mare
• Sighetu Marmației Municipal Hospital
• Târgoviște County Emergency Hospital
• Colțea Clinical Hospital
• Medgidia Municipal Hospital
• Fundeni Clinical Institute
• Oncological Institute “Prof. Dr Al. Trestioreanu” Institute Bucharest (IOB)
• Regional Institute of Oncology Iasi (IRO Iasi)
• Azuga Orthopaedics and Traumatology Hospital
• Băicoi City Hospital
• Emergency Hospital for Plastic, Reconstructive and Burn Surgery Bucharest
• Hospital for Chronic Diseases Sf. Luca
• C.F. Clinical Hospital no. 2 Bucharest
• Medical Centre MALP SRL Moinești

Back to paper
Since the systems were taken offline or shut down, doctors have been forced to return to writing prescriptions and keeping records on paper.

“After 400 computers and servers were shut down, we worked mostly on paper,” IRO Iasi manager Mirela Grosu told Agerpres.

“I mean we did continuous admission records on paper, day admission records on paper, we wrote medical test recommendations on paper. Everything is done on paper, just as we did years ago.”

“All servers have been shut down. The Internet has also been shut down, so there will be no loss, data leakage or anything else,” added systems engineer Florin Trandabăţ.

At the moment, there is no information on what ransomware operation encrypted the hospitals’ medical services management platform or if patients’ personal or medical data was also stolen during the incident.

RSC (Romanian Soft Company SRL), the software service provider behind the Hipocrate healthcare system, has yet to issue a public statement regarding this incident.

A RSC spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today via email and over the phone.

Update February 12, 11:29 EST: The Romanian National Cyber Security Directorate (DNSC) says the attackers used Backmydata ransomware to encrypt the hospitals’ data, a ransomware variant from the Phobos family.

In total, 21 hospitals were impacted by the attack, while 79 others using HIS have taken their systems offline as a precautionary measure while the incident is being investigated.

“Most of the affected hospitals have backups of data on the affected servers, with data saved relatively recently (1-2-3 days ago) except one, whose data was saved 12 days ago,” DNSC said.

Revised article and title with updated information provided by DNSC. BleepingComputer