Cyber Incident Victim: Sophiahemmet

A cyberattack targeting Sophiahemmet prompted the Stockholm Region to activate its Regional Special Healthcare Management (RSSL) in standby mode (stabsläge) as of late Tuesday evening on February 1, 2024. Security-related protective measures were implemented, disrupting portions of the IT environment within Sophiahemmet’s hospital area. This disruption severed access to the region’s electronic health record systems and peripheral systems for certain healthcare providers operating at the facility. Affected providers were compelled to transition to manual workflows for specific care processes, though the incident did not impact other healthcare providers elsewhere in the region. Regional authorities closely monitored the situation while working to restore system functionality for Sophiahemmet-associated providers as swiftly as possible. The attack’s operational consequences remained localized to Sophiahemmet’s IT infrastructure, with no immediate indication of broader regional network compromise.

The RSSL’s standby mode activation signified a coordinated effort to maintain situational awareness, execute necessary countermeasures, and track incident developments without escalating to higher preparedness levels. Regional frameworks define three operational tiers: standby (stabsläge), reinforcement (förstärkningsläge), and disaster (katastrofläge). The standby posture confirmed the incident had not yet necessitated reinforcing critical functions (förstärkningsläge) or full-scale emergency mobilization (katastrofläge). While restoration timelines were unspecified, the region prioritized minimizing care delivery disruptions through provisional manual protocols. No details regarding attack vectors, threat actors, or data compromise were disclosed. The response focused exclusively on mitigating clinical workflow impacts through IT containment and procedural adaptations pending system recovery.