Cyber Incident Victim: Szpital MSWiA
Date:
Mar 2025
Location:
Poland
Summary
Szpital MSWiA w Krakowiezostał zaatakowany przez hakerów, co spowodowało wyłączenie systemu elektronicznej dokumentacji medycznej i przejście na dokumentację papierową. Dyrektor zapewnił, że zdrowie i życie pacjentów nie są zagrożone, ale przyjęcia w trybie ostrym zostały ograniczone, a pacjenci przekierowani do innych pobliskich szpitali. W wyniku ataku wystąpiły czasowe problemy z diagnostyką laboratoryjną, które zostały już rozwiązane, natomiast blok operacyjny funkcjonuje normalnie. W systemach pojawiła się wiadomość od sprawców żądająca kontaktu, której wyjaśnieniem zajmuje się policja. Nie jest jeszcze jasne, czy doszło do wycieku danych pacjentów, lecz incydent traktowany jest jako potencjalny wyciek informacji osobistych. Przyjęcia do Oddziału Neurologii zostały wstrzymane.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Saturday, 8 March 2025, the Krakowski szpital MSWiA, the hospital operated by the Ministry of Interior and Administration in Kraków, experienced a cyberattack that was disclosed later that day by the hospital’s director, Michał Zabojszcz, during a press conference. He stated that the attack had rendered the hospital’s electronic medical documentation system inoperable, a system that normally supports patient admission, the entry of patient data, the ordering and receipt of laboratory and imaging test results, and, in certain wards, the electronic prescribing of medicines. According to the director, all of these functions were immediately switched to an analog, paper‑based workflow to maintain continuity of care. He added that, in his assessment, the majority of patients had not noticed the disruption because the paper processes were seamlessly integrated into the ongoing clinical workflow. The director also noted that, at the time of his remarks, it remained uncertain whether any patient data had been exfiltrated from the compromised systems, and he characterized the incident as a potential personal data breach that warranted further investigation. Concurrently, the Minister of Digitalization, Krzysztof Gawkowski, published an official acknowledgment of the attack, confirming that the incident had been brought to the attention of national cybersecurity authorities.
In response to the loss of the electronic system, the hospital limited its acute admissions and, working together with the regional medical emergency coordinator and neighboring healthcare facilities, redirected incoming patients to three hospitals located in the closest geographic area to alleviate pressure on the affected institution. The director explained that this coordination aimed to organize the hospital’s workload so that admissions for the following day would be impacted as little as possible. He also acknowledged that, immediately after the attack, there had been a noticeable limitation in the capacity of the laboratory diagnostics service, but he assured journalists that this issue had already been resolved and that normal laboratory operations had been restored. Regarding other critical services, the director emphasized that the operating block continued to function without interruption throughout the incident. He further disclosed that the hospital’s internal IT systems displayed a message from the attackers demanding direct contact for further instructions, and that this communication was being handled by the Polish police as part of their investigation. Finally, a spokesperson for the Minister of Interior and Administration, Jacek Dobrzyński, announced that, effective Monday, admissions to the neurology department of the Krakowski szpital MSWiA would be suspended until further notice.