Ransomware attack forces 25 Romanian hospitals to go offline – Source: www.bleepingcomputer.com

Over two dozen hospitals in Romania have taken their systems offline after a ransomware attack took down their healthcare management system.

The Hipocrate Information System (HIS) used by hospitals to manage medical activity and patient data was targeted over the weekend and is now offline after its database was encrypted.

75 other healthcare facilities using HIS have also taken their systems offline as a precautionary measure while the incident is investigated.

“During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system. As a result of the attack, the system is down, files and databases are encrypted,” the Romanian Ministry of Health said.

“The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed. Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack.”

The ransomware attack affected various hospitals across Romania, including regional and cancer treatment centers, and a team of DNSC cybersecurity experts is currently investigating the cyber incident.

DNSC says the attackers used Backmydata ransomware to encrypt the hospitals’ data, a ransomware variant from the Phobos family.

“Most of the affected hospitals have backups of data on the affected servers, with data saved relatively recently (1-2-3 days ago) except one, whose data was saved 12 days ago,” DNSC said.

The attackers have sent a ransom demand of 3.5 BTC (roughly €157,000). However, the name of the group claiming the attack is not mentioned in the ransom note, only an email address.

The list of 25 hospitals confirmed to have had their data encrypted by the attackers includes:

• Pediatric Hospital Pitesti
• Buzău County Emergency Hospital
• Slobozia County Emergency Hospital
• “Sf. Apostol Andrei” Emergency County Clinical Hospital Constanta
• Pitești County Emergency Hospital
• Military Emergency Hospital “Dr. Alexandru Gafencu” Constanta
• Institute of Cardiovascular Diseases Timișoara
• Emergency County Hospital “Dr. Constantin Opriș” Baia Mare
• Sighetu Marmației Municipal Hospital
• Târgoviște County Emergency Hospital
• Colțea Clinical Hospital
• Medgidia Municipal Hospital
• Fundeni Clinical Institute
• Oncological Institute “Prof. Dr. Al. Trestioreanu” Institute Bucharest (IOB)
• Regional Institute of Oncology Iasi (IRO Iasi)
• Azuga Orthopaedics and Traumatology Hospital
• Băicoi City Hospital
• Emergency Hospital for Plastic, Reconstructive and Burn Surgery Bucharest
• Hospital for Chronic Diseases Sf. Luca
• C.F. Clinical Hospital no. 2 Bucharest
• Medical Centre MALP SRL Moinești
• Institute of Phonoaudiology and ENT Functional Surgery “Prof. Dr. D. Hociotă”, Bucharest, Romania
• Brad Pneumonology Sanatorium, Hunedoara
• Hospital of Pneumonology Rosiorii de Vede
• Băicoi City Hospital
• Sante Clinic Calarasi

Back to paper

Since the systems were taken offline or shut down, doctors have been forced to return to writing prescriptions and keeping records on paper.

“After 400 computers and servers were shut down, we worked mostly on paper,” IRO Iasi manager Mirela Grosu told Agerpres.

“I mean we did continuous admission records on paper, day admission records on paper, we wrote medical test recommendations on paper. Everything is done on paper, just as we did years ago.”

“All servers have been shut down. The Internet has also been shut down, so there will be no loss, data leakage or anything else,” added systems engineer Florin Trandabăţ.

At the moment, there is no information on what ransomware operation encrypted the hospitals’ medical services management platform or if patients’ personal or medical data was also stolen during the incident.

RSC (Romanian Soft Company SRL), the software service provider behind the Hipocrate healthcare system, has yet to issue a public statement regarding this incident.

A RSC spokesperson was not available for comment when contacted by BleepingComputer via email and over the phone.

Update February 12, 11:29 EST: Added DNSC statement saying the hospitals had backups and the attackers used Backmydata ransomware

Update February 13, 05:43 EST: DNSC says four more hospitals have had their data encrypted bringing the total to 25, but there is currently no evidence of data theft.

Revised article and title after DNSC’s update on February 13.