Cyber Incident Victim: VZW Curando
Date:
Jan 2023
Location:
Belgium
Summary
Curando, a healthcare organization, experienced a cyberattack compromising its server systems, rendering electronic health records, personnel programs, and financial services inaccessible. Attackers stole and encrypted data but ceased operations upon realizing the target was a healthcare provider, subsequently destroying the stolen data after negotiations and providing proof of its deletion. The incident caused significant operational disruption, including increased workload due to server outages, though care services remained uninterrupted. The organization collaborated with specialized cybersecurity firms and external incident responders to mitigate the attack, with the hackers withdrawing their ransom demands during discussions. Curando's director emphasized the attack's impact despite existing security measures and urged government intervention to address rising cyber threats against critical sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On Sunday morning, January 22, 2023, IT personnel at Belgian healthcare organization Curando detected a cyberattack compromising several computer servers. Critical systems—including electronic health records, human resources programs, and financial services—became inaccessible, disrupting internal operations. Immediate containment measures were implemented to prevent further data loss, though forensic analysis confirmed attackers had already exfiltrated information from the servers. Curando engaged its primary IT partner and specialized cybersecurity firms to investigate the breach, emphasizing that the intrusion targeted file-exchange servers rather than general email communications. The organization proactively notified partner entities that had exchanged data with its systems, advising heightened vigilance against potential misuse of stolen information.
By Monday, January 23, investigators confirmed attackers had encrypted data and issued ransom demands. Curando’s board of directors authorized negotiations through an external incident response firm to protect care continuity for patients and staff. During discussions on January 24, the hacking collective withdrew its demands upon realizing it had targeted a healthcare provider, subsequently destroying the stolen data and providing evidence of its deletion. Despite these concessions, the attack caused significant operational strain: server outages increased workloads, and Curando communicated directly with residents, families, and employees across its care facilities to maintain transparency. General Director Dirk Lips acknowledged the organization’s existing security audits and "state of the art" protections had proven insufficient, describing the incident’s impact as "substantial" while confirming no further public data exposure occurred. He publicly urged government intervention to address escalating cyber threats against critical infrastructure sectors.