Massive ransomware attack hits 18 hospitals in Romania


Romanian authorities announced a “massive” ransomware cyberattack affecting the activities of at least 18 hospitals. The Health information system (HIS) was knocked offline.

The National Cyber Security Directorate (NCSD) in Romania was notified about a ransomware cyber attack on a service provider for multiple hospitals in the country.

“Currently, a team of NCSD specialists has been dispatched to the scene to investigate the cyber incident. Several hospitals are affected by the attack,” DNC said.

ADVERTISEMENT

The Romanian Ministry of Health listed 18 medical facilities that were affected by the attack.

“As a result of the attack, the system is down, files and databases are encrypted,” the Ministry of Health said.

The cyberattack took place on the production servers running HIS IT systems during the night of February 11th to 12th, 2024.

Currently, a team of IT specialists, including cybersecurity experts from NCSD, is investigating the incident and assessing the resumption possibilities. “Exceptional prevention measures were activated” for hospitals unaffected by the attack.

“We recommend that hospital IT teams are not contacted so they can focus on restoring IT services and data! This is the priority at the moment,” the NCSD statement reads.

Dr. Diana Bonto, a spokesperson at Targoviste ​County Emergency Hospital, said that the system is non-functional, and the hospital cannot access files and databases.

“Medical activities are being carried out under the limitations resulting from the incident,” Bonto said.

At the moment, it remains unclear who is responsible for the cyberattack and whether patients' medical data was stolen.

ADVERTISEMENT

The websites of some hospitals, such as Fundeni Clinical Institute or Military Emergency Hospital “Dr. Alexandru Gafencu” Constanta, could not be accessed at the time of writing.

Update: the number of victims rises

Nick Tausek, Lead Security Automation Architect at Swimlane, noted, that the ransomware attack on Romanian hospitals' healthcare management system caused at least 21 hospitals to move their systems offline.

Hospitals across the country use the Hipocrate Information System (HIS) to manage patient data and medical activity. The threat actors, which The Romanian National Cyber Security Directorate (DNSC) believes used Backmydata ransomware, targeted the production servers running the HIS system, encrypting the databases.

“This ransomware attack highlights the extreme vulnerability of healthcare organizations using interconnected systems to manage data. Hospitals can’t afford downtime and are therefore viewed as more likely to pay ransomware demands, making them an appealing target for ransomware groups. It is crucial that these organizations protect their patient data, and prioritize a preventative cybersecurity approach,” Tausek said.

Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, shared that the attack reportedly shut down over 400 computers and servers, forcing doctors to resort to manual methods of handwriting prescriptions and paper records.

The recent ransomware attack targeting HIS in Romanian hospitals underscores the critical need for healthcare organizations to prioritize robust cybersecurity measures given their vulnerability to these threats.

“Their vital role and reliance on interconnected systems make them a prime target for threat actors. Shifting from a reactive to a proactive approach is key. By simulating real-world attacks using the common tactics, techniques, and procedures (TTPs) used by ransomware groups, organizations can continuously test their security defenses against these evolving threats to uncover any weak spots,” Costis noted.

ADVERTISEMENT