Cyber Incident Victim: Buzău Hospital
Date:
Feb 2024
Location:
Romania
Summary
During a nationwide ransomware campaign, attackers exploited a vulnerability in the Hippocrates medical software used by over one hundred Romanian hospitals, encrypting files with the BackMyData strain and demanding bitcoin payment. Authorities ordered all affected facilities to disconnect from the internet, forcing clinicians at institutions such as Buzău Hospital to revert to paper records and improvise workarounds for admissions, test results and medication orders while IT teams restored systems from backups. Within several days most hospitals resumed normal operations, with no reported fatalities or serious patient harm.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Thecyber‑attack on Romania’s hospitals began in February 2024 when ransomware known as BackMyData infiltrated the Hippocrates medical software platform supplied by the Bucharest‑based firm RSC. The infection spread through the software network, and on Sunday morning staff at Pitești children’s hospital were the first to notice errors in the system, the day after the initial compromise. By dawn on Monday many hospitals across the country reported that the Hippocrates system was unavailable, including Buzău Hospital, which lies approximately 120 kilometres north‑east of Bucharest. Surgeon Oana Goidescu at Buzău Hospital described the impact as the loss of all electronic patient records, meaning that requests for laboratory tests, radiology, medicines and supplies could no longer be accessed through the system.
In response, the national cyber‑security centre (DNSC) issued an order for more than 100 hospitals, including Buzău, to disconnect from the internet immediately, a move that halted the further spread of the ransomware. Medical staff at Buzău Hospital switched to pen‑and‑paper methods, creating offline registers for patient admissions and requesting laboratory results on paper, while using Excel and other offline tools to maintain care. The DNSC coordinated with the makers of Hippocrates to identify infected systems and work with hospital IT teams to expel the attackers, and public messaging urged patients to seek hospital care only when necessary to reduce pressure on the overwhelmed facilities. IT teams at hospitals that remained offline, including Buzău, attempted to restore operations from recent backups, and within five days most hospitals were back online and operating close to normal.
By the end of the week, cyber‑investigators confirmed that 26 hospitals had been infected with BackMyData, while the remaining facilities had been brought back online with additional security protections. The process of re‑entering the data recorded on paper during the outage was expected to take weeks, and some information was permanently lost. No deaths or serious harm to patients were reported as a direct result of the outage. Police have not commented on the investigation into the perpetrators, though a ransomware gang linked to BackMyData had its website taken down in an international operation the previous year, leading to the arrest of four Russians outside Russia. The incident has been cited as a case study for disaster planning in healthcare settings worldwide.