Cyber Incident Victim: Carol Davila Hospital
Date:
Feb 2024
Location:
Romania
Summary
During a widespread ransomware campaign targeting the Hippocrates medical system, attackers infected dozens of Romanian hospitals, including Carol Davila Hospital, forcing facilities to disconnect from the internet and revert to paper records. Medical staff improvised offline workflows using printed lab results and spreadsheets while IT teams worked with the software provider to isolate the threat and restore systems from backups, ultimately bringing most hospitals back online within days with no reported fatalities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 10 February 2024 a ransomware strain named BackMyData began infecting Romanian hospitals that used the Hippocrates medical software, spreading from a compromised Bucharest‑based software firm, RSC. The infection quickly reached over one hundred facilities, prompting the national cyber‑security centre to order all affected hospitals to disconnect from the internet immediately. By dawn on Monday, 12 February, many hospitals reported that the Hippocrates system was unavailable, and investigators later confirmed that twenty‑six sites had been successfully encrypted by the ransomware. Carol Davila Hospital, located in Bucharest, was among the institutions that received the disconnection directive.
At Carol Davila Hospital the loss of the digital system forced medical staff to revert to paper‑based processes, a shift described by Vlad Paic, who said they developed an offline method to register every patient. He explained that the laboratory was asked to provide test results on paper and that the team used Excel and other offline tools to keep patient care uninterrupted. While the hospital operated without connected devices, emails or web browsers, waiting rooms continued to fill and some patients expressed frustration, directing anger at the staff despite explanations that the outage was not their fault. The hospital’s clinicians also created workarounds for admissions, pharmacy logistics and test result tracking to protect patients during the outage.
IT teams at Carol Davila Hospital and elsewhere worked to restore systems from recent backups, a strategy that allowed most hospitals to return to near‑normal operation within five days of the initial shutdown. No deaths or serious harm to patients were reported across the affected hospitals, including Carol Davila, although the manual records created during the outage required weeks to re‑enter into the restored systems and some data was ultimately lost forever. Police have not disclosed details about the perpetrators, though a prior international operation had taken down a website linked to the BackMyData gang and resulted in the arrest of four Russians outside their home country. The incident showed that recent backups enabled most hospitals to resume operation within five days.