Cyber Incident Victim: Klinikum Lippe
Date:
Nov 2022
Location:
Germany
Summary
A German hospital group experienced a significant ransomware attack impacting IT systems across all its locations, prompting immediate network isolation to prevent further damage. Following intensive negotiations, the attackers provided a decryption key without receiving a ransom payment, though the institution continued facing operational disruptions requiring reliance on telephone and fax communications while rebuilding infrastructure. Patient care remained secure during the incident, including emergency services, despite partial system outages mitigated through analog alternatives like manual processes for critical functions such as meal ordering. The attack highlighted vulnerabilities in healthcare infrastructure, with investigations supported by law enforcement agencies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 17, 2022, Klinikum Lippe—a major municipal hospital in Germany with locations in Detmold, Lemgo, and Bad Salzuflen, and part of the University Hospital OWL—detected a significant cyberattack impacting all three facilities. Monitoring systems alerted the hospital to what spokesperson Christian Ritterbach described as a "massive external hacking attack," prompting immediate isolation of all IT infrastructure from external networks to contain further damage. The hospital collaborated with specialists from the State Criminal Police Office (Landeskriminalamt) to implement defensive measures. This isolation required a complete shutdown and reconstruction of IT systems, forcing communication with external parties to revert exclusively to telephone and fax services. Internal operations partially resumed using analog workarounds, such as manual food ordering systems, while critical patient care remained uninterrupted for both hospitalized individuals and emergency cases. A dedicated hotline (05231 725976) was established to address public inquiries about the outage. The hospital publicly confirmed the incident via a November 18 Twitter post, emphasizing continued operational security despite email system failures.
By November 30, the hospital announced it had obtained decryption keys following "intensive negotiations" with the unnamed ransomware actors, declaring the attack formally ended though IT restoration efforts continued. The hospital explicitly warned of persistent system disruptions during the rebuilding phase, with external digital communications remaining offline indefinitely. Radio Lippe reported the hospital claimed no ransom payment occurred, suggesting attackers may have released the decryption key voluntarily upon recognizing the hospital’s critical infrastructure status—an assertion the original article characterized as unusual and surprising. Historical context highlighted vulnerabilities in regional healthcare systems, referencing a 2019 ransomware attack against Medizinisches Versorgungszentrum Lippe that forced multi-day clinic closures in Detmold, Lemgo, and Lage. While patient care was maintained throughout the 2022 incident, the broader risks of healthcare cyberattacks were underscored by Andreas Graßl, an IT security executive for regional hospitals, who noted such incidents inherently endanger lives by disrupting medical services.