Cyber Incident Victim: Colosseum Dental Benelux
Date:
Aug 2022
Location:
Netherlands
Summary
A ransomware attack targeted Colosseum Dental Benelux, disrupting operations across over 100 dental practices in Belgium and the Netherlands. The incident encrypted computer systems and led to temporary closures, preventing access to patient records. Attackers demanded ransom to restore data and threatened to publish allegedly copied information, including sensitive patient and employee details such as medical records, identification documents, and financial data. The organization engaged external experts to investigate, negotiated with the attackers to secure data restoration and non-disclosure agreements, and notified the Dutch Data Protection Authority within regulatory timelines. While forensic analysis could not confirm whether data was definitively accessed or exfiltrated, precautionary notifications were issued to potentially affected individuals due to the unresolved risk of unauthorized data exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early August 2022, Colosseum Dental Benelux, a dental group operating over 130 practices across Belgium and the Netherlands, experienced a disruptive cyber incident. The attack began around August 4-5, forcing the immediate closure of more than 100 affiliated dental clinics. Initial reports described a "cyber incident" disrupting operations, with employees unable to access patient records and the company's website rendered offline. Security firm ESET Netherlands identified ransomware indicators based on the operational shutdown, system inaccessibility, and mandatory regulatory reporting to the Dutch Data Protection Authority (AP) and law enforcement. Colosseum Dental later confirmed this was a ransomware attack involving data encryption and extortion demands. Attackers deployed gijzelsoftware (ransomware) to encrypt computer files and demanded payment for decryption keys. They additionally claimed to have exfiltrated sensitive data, threatening public release unless ransom terms were met.
Colosseum Dental engaged external cybersecurity experts to investigate and negotiate with the attackers. The company reached an agreement to restore system access and prevent data publication, though investigators couldn't definitively confirm whether patient or employee data was actually accessed or copied during the breach. Affected data included medical records, personnel files, national identification numbers (Burgerservicenummer), bank account details, and employment contracts for current/former patients and staff across specific Dutch practices listed in their disclosure. Despite uncertainty about data compromise, Colosseum proactively notified all potentially impacted individuals by early September 2022, citing precautionary principles. The organization reported the breach to the AP within the mandatory 72-hour window on August 5 and planned formal police reporting. While no evidence suggested leaked data was misused, Colosseum advised vigilance against phishing and identity fraud via the national Fraud Help Desk. Restoration efforts successfully recovered encrypted data, but the company declined to disclose technical details about the attack vector, ransom payment, or specific security gaps exploited. Post-incident measures included external security audits and infrastructure hardening to reduce future risks, though prior protections had failed to prevent the initial compromise. The incident disrupted care for approximately 600,000 annual patients during clinic closures and triggered ongoing regulatory coordination with the AP regarding notification protocols.