In early February 2024, a coordinated ransomware cyberattack swept through Romania’s healthcare network, triggering one of the most high-stakes responses to a global healthcare cyber incident in recent memory. What began as a quiet breach of a popular domestic medical software platform quickly grew into a crisis that put hundreds of thousands of patient lives at risk, and ultimately became a global case study for how nations can defend critical infrastructure against criminal hacking groups.
The attack unfolded when criminals exploited a vulnerability in Hippocrates, a widely used medical management system developed by Bucharest-based software firm RSC. The system, used by more than 100 hospitals across Romania, handles every core function of hospital operations: from patient admissions and test result tracking to pharmacy inventory management and staff payroll. Cyber attackers deployed the BackMyData ransomware strain through the compromised software, quietly encrypting files across connected hospital networks before any IT team detected abnormal activity.
The first alert came on a Sunday morning, when staff at Pitești Children’s Hospital, located northwest of Bucharest, spotted unexplained errors on their system. By dawn the next day, dozens of hospitals across the country reported that Hippocrates had gone completely dark, with all patient and operational files scrambled into unreadable gibberish. The attackers demanded a total ransom of €160,000 in bitcoin to unlock the encrypted data.
At Romania’s national cybersecurity directorate (DNSC) in Bucharest, cyber chief Dan Cimpean faced an urgent, no-win decision. With the ransomware spreading rapidly from hospital to hospital through connected networks, Cimpean made the bold call to issue an immediate order: more than 100 affected and at-risk hospitals had to disconnect from the internet entirely to halt the attack’s progress.
The decision stopped the hackers in their tracks, buying cybersecurity teams critical time to investigate the breach and contain the damage, but it threw day-to-day hospital operations into chaos. For frontline medical staff like surgeon Oana Goidescu, who was on shift at Buzău Hospital, 75 miles northeast of Bucharest, when the alert hit, losing digital access meant losing every tool the clinical team relied on.
“An IT record is not just a list of patients,” Goidescu explained in the aftermath of the incident. “For every patient, we request lab tests, radiology scans, medicines and supplies. All of that was gone overnight.”
Clinical teams across the country quickly improvised analogue workarounds to keep patient care running. Surgeons and doctors switched back to pen and paper for patient records. At Bucharest’s Carol Davila Hospital, medical director Vlad Paic said his team developed a custom offline registration system within hours, asked labs to deliver results on printed paper, and used offline spreadsheets to track care. Many clinicians noted that Romania’s relatively recent shift to full digital health records left many staff still comfortable with paper-based workflows, a surprising advantage during the blackout.
While frontline staff managed patient care, cybersecurity investigators worked around the clock to map the damage and evict the hackers. Working closely with developers at RSC, the team confirmed that 26 hospitals had been fully infected with BackMyData, while the rest of the facilities had avoided encryption thanks to the early internet disconnection. DNSC leadership made a second critical, binding decision: no hospital would be allowed to negotiate with or pay the attackers, a stance that security experts widely back as a long-term deterrent to future ransomware attacks.
The DNSC also leaned on open, consistent communication with the public and media to manage the crisis, a choice that DNSC leadership later cited as core to the response’s success. Public warnings urged patients to avoid non-urgent hospital visits to reduce strain on offline teams, though waiting rooms still filled with patients seeking care, and some frustrated visitors directed their anger at overstretched frontline staff.
IT teams worked at breakneck speed to restore systems from existing backups. A key stroke of luck and preparation meant most hospitals maintained recent, intact offline backups of their patient data, allowing teams to restore systems much faster than many experts expected. Within five days of the attack being detected, nearly all hospitals were back online and operating near full capacity. Remarkably, there were no reported deaths or permanent serious harm to patients connected to the outage, though it took weeks for staff to re-input all the paper records generated during the blackout, and some small amounts of data were lost forever.
In the months following the attack, Romania’s coordinated response has become a benchmark test case for disaster planners around the world. The incident also underscores a stark new reality for global healthcare: the FBI recently confirmed that healthcare has overtaken all other sectors as the most targeted area of critical national infrastructure for cyberattacks.
Recent years have seen a string of devastating attacks on global healthcare systems that have caused measurable harm. In 2023, a breach of a UK blood testing firm that affected a dozen London medical centers was officially linked to a patient’s death, marking the first publicly confirmed fatalities from a healthcare cyberattack. The same year, U.S. healthcare payment platform Change Healthcare paid attackers a $22 million ransom after a widespread breach, and another major U.S. provider Ascension suffered a disruptive attack that shut down services across multiple facilities.
Alina Bîzgă, a cybersecurity analyst at Bucharest-based global security firm Bitdefender, explained why criminal groups increasingly target hospitals over other sectors. “Hospitals handle time-sensitive, life-saving critical services, and criminals calculate that the more widespread disruption they cause, the more pressure hospital and government leaders face to pay a ransom quickly,” she said.
Dan Cimpean, who led Romania’s response, noted that the risk of such an attack exists in every nation, regardless of size or development level. “The more technology you adopt, and the more digitized your healthcare system becomes, the greater your exposure to these risks,” he said. “This was not a problem unique to Romania — it could have happened anywhere.”
As of mid-2024, Romanian police have declined to comment on the ongoing investigation into the identity of the attackers behind the BackMyData incident. In 2023, an international law enforcement operation took down the dark web website of a ransomware gang linked to the BackMyData strain, and four Russian suspects connected to the group were arrested outside of Russia, whose government does not cooperate with Western law enforcement on cybercrime prosecutions.