Cyber Incident Victim: Katholische Hospitalvereinigung Ostwestfalen
Date:
Dec 2023
Location:
Germany
Summary
A cyberattack targeted the IT systems of Katholische Hospitalvereinigung Ostwestfalen, causing a widespread outage affecting three hospitals. Unidentified attackers breached the infrastructure, encrypting data, with initial assessments attributing the incident to Lockbit 3.0 ransomware. All systems were immediately shut down as a precaution, and emergency services were suspended for safety reasons. Patient care continued using backup systems despite technical limitations, while internal and external security specialists worked to restore operations and secure data. Authorities were notified, and a crisis team initiated forensic analysis, though the full extent of data compromise and attacker demands remained unclear at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In the early morning hours of December 24, 2023, the IT systems of three hospitals operated by Katholische Hospitalvereinigung Ostwestfalen (KHO) – Franziskus Hospital Bielefeld, Sankt Vinzenz Hospital Rheda-Wiedenbrück, and Mathilden Hospital Herford – experienced a complete outage following unauthorized access by attackers. Unknown threat actors infiltrated the hospitals' IT infrastructure and deliberately encrypted data, with preliminary analysis indicating the attack likely involved Lockbit 3.0 ransomware. Upon detecting the breach, KHO immediately powered down all systems as a containment measure and activated its crisis management team overnight. The organization notified relevant authorities and engaged both internal and external cybersecurity specialists to investigate the incident and secure remaining data. While backup systems preserved patient data critical for ongoing care, administrators proactively disconnected from emergency medical networks as a security precaution, temporarily suspending emergency service availability across the affected facilities.
KHO's management confirmed the attack caused significant operational disruptions, forcing hospitals to implement technical restrictions while maintaining basic patient care services. Deputy Managing Director Philipp Herzog stated clinical operations continued with reduced capabilities, though the organization refrained from specifying recovery timelines due to the ongoing forensic investigation. The attackers' motives and potential ransom demands remained undisclosed as of the initial disclosure. Dr. Jan Schlenker, KHO's Managing Director, emphasized immediate access revocation across all systems and prioritized restoration efforts through backup infrastructure. The incident impacted six hospitals collectively employing approximately 3,300 staff, though only three facilities experienced full IT outages. No data compromise was confirmed at the time of reporting, with investigators focusing on system recovery and attack attribution while maintaining limited clinical operations under modified procedures.