Cyber Incident Victim: Centre Hospitalier Stell
Date:
Mar 2025
Location:
France
Summary
Centre Hospitalier Stell suffered a ransomware infection that disabled all IT systems, forcing staff to rely on paper records and manual processes. The attack threatened to leak sensitive data unless a ransom was paid, but the hospital followed policy and refused to pay. IT teams isolated the network to contain the spread, and temporary workstations were deployed to maintain essential functions. Payroll processing reverted to the previous month’s figures, electronic badge readers were stopped, and heightened security measures were imposed on USB use and web access. Staff were required to change passwords and monitor financial accounts for suspicious activity. An investigation is underway, though prospects of identifying the perpetrators remain low.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Since March 31, 2025, the Centre hospitalier Stell in Rueil-Malmaison has been paralyzed by a massive ransomware infection that compromised all of its information technology systems. The attack forced the hospital to revert to paper and pen, eliminating access to medical software, disabling electronic badge readers, and threatening the release of sensitive patient data if a ransom were not paid. The IT team reacted urgently by isolating the network to contain the spread, while authorities and technical specialists began mobilizing to restore services. Staff described a scene of silent keyboards, black screens, and handwritten notes as they attempted to continue care under these conditions. The ransomware was described as a structured, financially motivated attack, reportedly of likely criminal origin.
In response, the hospital’s IT department successfully decoupled the main network, preventing uncontrolled propagation of the malware, and launched a rapid reorganization that drew on both internal and external resources. Approximately eighty computers and printers were deployed to reconstitute a degraded level of functionality, with additional equipment being delivered under the ARS “cyberattaque” emergency fund. Because internal software remained unavailable, the April payroll was set to match that of March and electronic time clocks were disabled, requiring managers to manually record work hours. Security protocols were tightened immediately, with an internal note forbidding the use of USB keys not supplied by the IT service and limiting internet access to sites strictly necessary for medical activity, while printed medical documents were placed under heightened surveillance to protect confidentiality. Staff were instructed to change professional and personal passwords and, for those whose bank details might have been compromised, to contact their banks to monitor for suspicious transactions.
The return to analog workflows has disrupted daily organization, increased mental workload, and slowed the pace of care, with workers reporting that tasks now require verification, duplication, and revalidation despite their ongoing efforts. This incident follows a pattern of ransomware attacks on French health facilities, including the 2021 incidents at Villefranche-sur-Saône and Dax and more recent hits at the CHU of Rennes, Versailles, Armentières, and Corbeilles Essonnes. According to the ANSSI, health care providers are favored targets due to sometimes outdated systems, limited resources, and the high value of their data, while institutional responses have often been reactive rather than preventive despite the availability of the ARS cyberattack fund. An investigation is underway, but prospects of identifying the perpetrators are considered slim because the attackers typically operate from abroad behind anonymous servers and masked IP addresses, with the National Police handling the case.