Romanian hospitals swiftly recover from major cyberattack without patient harm

In February 2024, Romania faced a significant cyberattack that impacted its healthcare system, but the swift response ensured that no patient deaths or serious injuries were reported. The attack targeted a widely used medical software called Hippocrates, which is essential for managing patient admissions, payroll, pharmacy logistics, and test results.

Hacker groups compromised the system developed by RSC, based in Bucharest, infecting 26 hospitals with a ransomware strain named BackMyData. The attackers demanded a ransom of 160,000 euros in bitcoin, but a national decision was made not to pay. Instead, over four days starting on February 10, authorities disconnected more than 100 medical units from the internet, effectively halting the cyber threat.

Dan Cimpean, head of cybersecurity, issued an urgent order that read, "Deconectați-vă de la internet, acum!" This decisive action allowed unaffected hospitals to resume operations with additional protective measures in place the very next day, and many facilities were back online within five days.

During this challenging period, healthcare professionals, such as surgeon Oana Goidescu at the Buzău Hospital, were forced to revert to paper-based procedures. Goidescu reflected on the difficulties, stating, "A fost o experiență destul de neplăcută, pentru că o fișă IT nu este doar o listă de pacienți."

The scale of the attack was so severe that it was reported by BBC as one of the most significant healthcare cyber incidents globally. The FBI has also indicated that healthcare is now the most targeted sector of national critical infrastructure. Despite the distressing situation, the response from the cybersecurity teams was commendable, as they raced to restore systems from backup data, with most hospitals having relatively recent data copies.

Public messages urged patients to avoid hospital visits unless necessary, while the National Cybersecurity Directorate (DNSC) maintained communication with both hospitals and the public through the media. Following the incident, investigations were launched, but authorities have not disclosed details regarding the perpetrators. Notably, four Russians linked to a group associated with BackMyData were arrested outside of Russia, although cooperation from Russian authorities remains nonexistent.