Cyber Incident Victim: Mathilden Hospital
Date:
Dec 2023
Location:
Germany
Summary
A cyberattack attributed to Lockbit 3.0 caused a widespread IT system outage across multiple hospitals, including Mathilden Hospital, disrupting operations with technical limitations. Attackers encrypted data after gaining unauthorized access to the IT infrastructure, prompting an immediate shutdown of all systems as a security measure. While patient data remained accessible through backup systems for treatment purposes, emergency services were suspended preemptively. A crisis team was activated to analyze the breach, secure systems, and coordinate with authorities and cybersecurity specialists. The full extent of the damage, including potential attacker demands, remains unclear as recovery efforts continue under operational constraints.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 24, 2023, during early morning hours, the IT systems of Franziskus Hospital Bielefeld, Sankt Vinzenz Hospital Rheda-Wiedenbrück, and Mathilden Hospital Herford experienced a complete outage following a cyberattack. Unidentified attackers breached the IT infrastructure of these facilities, which operate under the Katholische Hospitalvereinigung Ostwestfalen (KHO) network, and deliberately encrypted data. Initial assessments indicated the attack likely involved Lockbit 3.0 ransomware, though the timeframe for restoration remained unclear at the time of reporting. Upon detecting the intrusion, hospital administrators immediately powered down all systems as a precautionary measure and notified relevant personnel and external agencies. Dr. Jan Schlenker, KHO’s managing director, confirmed the activation of an overnight crisis team to analyze the breach, with all system access points promptly locked to prevent further infiltration. Backup systems preserved critical patient data, allowing continued access for medical treatment despite the primary infrastructure shutdown. Deputy Managing Director Philipp Herzog stated that clinical operations continued under technical constraints, though emergency services were suspended as a safety measure. The attack impacted six hospitals under KHO’s management, affecting approximately 3,300 employees across facilities in Bielefeld, Gütersloh, Harsewinkel, Oelde, Herford, and Rheda-Wiedenbrück. Authorities and cybersecurity specialists were engaged in forensic investigations, but no details regarding attacker demands, data exfiltration, or encryption scope were disclosed.
The incident disrupted non-clinical administrative and technical systems, forcing staff to rely on contingency protocols to maintain patient care. KHO’s IT security teams collaborated with external experts to restore systems and secure data, though recovery timelines were not projected. No patient data loss was reported due to functional backups, but operational limitations persisted, including disconnection from regional emergency response networks. The hospitals maintained inpatient and outpatient services while managing reduced IT capabilities, prioritizing critical medical equipment over administrative functions. KHO’s public communications emphasized ongoing efforts to investigate the attack’s origin and mitigate risks, without confirming whether ransomware payments were demanded or negotiated. The coordinated response across multiple facilities highlighted the operational challenges of managing healthcare infrastructure during cyber incidents, particularly during holiday periods with reduced staffing.