Cyber Incident Victim: Hospital Clínic de Barcelona
Date:
Mar 2023
Location:
Spain
Summary
A ransomware attack severely disrupted operations at Hospital Clínic de Barcelona, compromising virtualized environments and impacting emergency services at multiple affiliated medical centers. Patient information systems became inaccessible, forcing staff to handle hundreds of urgent cases manually and divert critical emergencies to other facilities while canceling significant numbers of non-urgent surgeries and outpatient appointments. The incident, attributed to the RansomHouse group, caused widespread application and communication failures, though some services like radiology and dialysis remained operational. Recovery efforts involved coordination between technical teams, law enforcement, and additional administrative staff to restore systems, with no immediate data leaks reported from the attackers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware attack on Hospital Clínic de Barcelona occurred on the morning of March 5, 2023, targeting the hospital’s virtualized environments in a sophisticated attack attributed to the RansomHouse operation. The incident severely disrupted healthcare services across the 819-bed facility and three associated medical centers—CAP Casanova, CAP Borrell, and CAP Les Corts—compromising applications, communications, and access to patient information for physicians. Emergency services were redirected, with urgent cases like strokes and heart attacks diverted to other hospitals in Barcelona, while 800 urgent admissions on March 5 required manual processing, slowing response times. Catalonia’s government confirmed the attack’s complexity, noting it involved non-classic techniques indicating attacker evolution. Coordination between hospital staff, the Agència de Ciberseguretat de Catalunya, Mossos d’Esquadra (Catalan police), and Interpol focused on damage assessment, infiltration analysis, and system restoration. Though the hospital’s SAP system remained unaffected, nearly all other critical applications were inaccessible, forcing the suspension of 150 non-urgent surgeries and the cancellation of 3,000 outpatient appointments, referenced in some sources as 2,500 external consultations.
Response efforts prioritized maintaining urgent and hospitalization services at all Clínic sites—Villarroel, Plató, and Maternitat—while operational continuity was preserved for radiology, endoscopic tests, radiological scans, dialysis, outpatient pharmacy, day hospitals, and home hospitalization. Administrative staff and health assistants were reinforced to facilitate inter-departmental communication during manual operations. Elective surgeries, external consultations, the extraction center, and oncology radiotherapy sessions remained suspended. Authorities indicated restoring normal operations would require days, though no precise timeline was confirmed. RansomHouse’s leak site had not published hospital data as of March 6, though the group previously leaked data from Kerlaty healthcare following a November 2022 attack. Work continued to determine the breach’s scope and recover IT systems, with periodic public updates promised. The incident underscored systemic vulnerabilities, impacting care delivery for over 500,000 residents reliant on the hospital’s services.