Cyber Incident Victim: Centre Hospitalier de Versailles
Date:
Dec 2022
Location:
France
Summary
A ransomware attack targeted Hôpital André-Mignot near Paris, forcing the shutdown of phone and computer systems to contain the malware. The hospital partially canceled operations, limited admissions to walk-ins and consultations, and transferred six patients from neonatal and intensive care units to other facilities. Attackers demanded an unspecified ransom, which hospital officials refused to pay. Authorities including the French National Authority for Security and Defense of Information Systems (ANSSI) and the Paris prosecutor's office launched investigations into the incident, treating it as hacking and attempted extortion. The attack disrupted administrative functions and drew comparisons to prior ransomware incidents against healthcare facilities, though the specific threat actor remained unidentified. Crisis protocols were activated to maintain outpatient care while systems were isolated for security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on Hôpital André-Mignot in Versailles began on the evening of December 3, 2022, at approximately 21:00 local time. Computer systems were compromised, with screens turning black and becoming unresponsive, forcing the hospital to shut down its entire IT infrastructure, including telephone systems, as a containment measure. Hospital administrators activated their "plan blanc" emergency protocol, leading to partial cancellation of surgical operations and limiting admissions to walk-in patients and consultations only. By December 4, the hospital filed a formal complaint with authorities, triggering an investigation by the Paris prosecutor's office into hacking of state data and attempted extortion. The French National Authority for Security and Defense of Information Systems (ANSSI) was immediately alerted and began forensic analysis, while the Versailles public prosecutor transferred jurisdictional authority to Paris prosecutors specializing in cybercrime. Health Minister François Braun confirmed six neonatal and intensive care patients required transfer to other facilities, though emergency medical services (SAMU) remained operational. Minister Delegate for Digital Transition Jean-Noël Barrot acknowledged the attackers had demanded ransom, though hospital supervisory board co-chair Richard Delepierre stated they had no intention to pay.
The attack caused significant service disruptions, with the Ile-de-France Regional Health Agency advising patients to contact their departments for redirected care. Hospital operations were severely constrained, maintaining only outpatient care and consultations while administrative, technical, and logistical systems remained offline. The facility, which houses 700 beds and employs 3,000 staff, faced comparisons to the August 2022 LockBit 3.0 ransomware attack against Corbeil-Essonnes hospital, though no specific threat actor was officially attributed. Crisis management teams coordinated with national authorities throughout December 4-5, implementing manual patient tracking systems while forensic investigators worked to determine the ransomware variant and intrusion vectors. No other regional healthcare facilities were affected, according to official statements. Patient health data exposure risks were acknowledged based on prior hospital ransomware incidents, though specific data breaches at André-Mignot remained unconfirmed in initial reports. The incident marked France's second major healthcare cyberattack within four months, prompting coordinated response from health, digital, and law enforcement agencies.