🗄️ Assets

ChipSoft Ransomware Attack Takes Down Patient Records Across 80% of Dutch Hospitals

Dutch healthcare IT vendor ChipSoft, whose HiX electronic patient record system is used by approximately 80% of hospitals in the Netherlands, was struck by a ransomware attack on 7 April. Eleven hospitals have disconnected from ChipSoft systems and reverted to emergency paper procedures. ChipSoft has confirmed a 'data incident' with possible unauthorised access to patient records, and Z-CERT has advised all connected healthcare institutions to disconnect VPN links to the vendor.

4 min read
#ransomware#chipsoft#healthcare#patient-data#netherlands#third-party-risk#z-cert#ehr

The Attack and Its Scale

ChipSoft, the Amsterdam-based healthcare IT company behind the HiX electronic patient record (EPR) system, suffered a ransomware attack detected on 7 April 2026. HiX is used by roughly 80% of hospitals in the Netherlands, making this one of the most systemically significant healthcare IT incidents Europe has seen.

By 8 April, eleven hospitals had taken ChipSoft’s systems offline and activated manual downtime procedures. Nine of those eleven were using HiX for core clinical workflows — including patient records, medication management, ward scheduling, and clinical communications. ChipSoft’s public-facing website and patient portal infrastructure became unreachable shortly after the attack was detected and remained down through the day.

Z-CERT, the Dutch national cybersecurity centre for healthcare and education, issued an advisory to all connected healthcare institutions directing them to:

  • Immediately disconnect VPN tunnels to ChipSoft infrastructure
  • Monitor internal network traffic for signs of lateral movement
  • Activate downtime procedures and revert to paper-based clinical processes
  • Report any anomalous activity in their own environments

Patient Data at Risk

ChipSoft confirmed to Dutch broadcaster NOS that the incident constitutes a “data incident” involving “possible unauthorised access,” and explicitly stated it cannot rule out that patient data has been accessed or stolen. HiX stores comprehensive clinical records including diagnoses, treatment histories, medication regimens, imaging reports, and patient demographics — data categories that command high prices on criminal markets and enable targeted fraud, extortion, and identity theft affecting patients.

Dutch data protection law requires notification to the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) within 72 hours of identifying a breach involving personal data. Healthcare records are classified as special category data under the GDPR, carrying the strictest protections and the most serious consequences for unlawful disclosure.

Supply Chain and Concentration Risk

The ChipSoft incident illustrates a structural vulnerability in healthcare IT markets: the consolidation of clinical infrastructure around a small number of dominant vendors creates nation-level single points of failure. A successful attack on one vendor can simultaneously degrade clinical capability across dozens of hospitals.

This concentration problem is not unique to the Netherlands. Similar dynamics exist in the UK (where TPP and EMIS together serve most GP surgeries), the US (Epic and Oracle Health dominate hospital EPR markets), and across Europe. Regulators are increasingly aware of the risk, but few healthcare organisations have implemented the kind of vendor diversity or offline fallback capability that would meaningfully limit blast radius.

The ChipSoft attack follows a pattern that has become distressingly familiar: ransomware groups identify healthcare IT vendors as high-leverage targets precisely because the cascading operational impact creates maximum pressure for rapid payment, and because healthcare budgets for security are historically constrained relative to the sector’s data sensitivity.

What Affected Organisations Should Do

If your organisation uses ChipSoft/HiX:

  1. Follow Z-CERT guidance: disconnect VPN connections to ChipSoft infrastructure immediately
  2. Activate your downtime procedures and brief clinical staff on paper-based workflows
  3. Audit authentication logs for your own environment for signs of lateral movement from the ChipSoft network
  4. Prepare for a prolonged outage — recovery timelines for ransomware incidents affecting complex healthcare IT environments routinely extend to weeks
  5. Engage your DPO to assess notification obligations under GDPR Article 33 based on your own data sharing with ChipSoft

Broader supply chain risk management:

  • Map all third-party vendor connections to your clinical environment and identify which vendors have VPN or direct system access
  • Ensure that vendor access is auditable — you should be able to enumerate active sessions and revoke access within minutes
  • Include healthcare IT vendors in your business continuity planning; downtime procedures for EPR outages must be practised, not theoretical
  • Consider the ENISA Healthcare Cybersecurity Procurement Guidelines when evaluating future vendor contracts for security baseline requirements

Attribution

No ransomware group had publicly claimed responsibility for the ChipSoft attack as of 8 April. The absence of an immediate claim does not rule out data exfiltration — many groups conduct exfiltration silently before posting on data leak sites to allow negotiation time.