Over 100 Romanian hospitals stopped ransomware attack by switching to pen and paper

More than 100 Romanian hospitals were targeted in February 2024 by a ransomware attack exploiting vulnerabilities in the Hippocrates medical software system, prompting a swift cybersecurity response ^{[1, 2, 3, 4]}. The ransomware, known as BackMyData, encrypted patient files and demanded a bitcoin ransom worth about 160,000 euros ^{[3, 4]}.

To contain the attack, security chief Dan Cimpean ordered all affected hospitals to disconnect from the internet on February 10, 2024. This halted further infection and forced hospitals to revert to pen-and-paper workflows for four days while their digital systems were offline ^{[1, 2, 3, 4]}. Cimpean said, "The more technology you have, the higher your risk from cyberattacks" ^[3].

Medical staff improvised by requesting lab results on paper and used offline tools such as Excel to manage patient care, minimizing treatment disruption. Vlad Paic of Carol Davila Hospital said, "We demanded the laboratory provide test results on paper and used offline tools to ensure patient care continued" ^[3]. Despite the challenges, no deaths or serious injuries were reported during the outage and recovery ^{[3, 4]}. Surgeon Oana Goidescu described the experience as "quite unpleasant" because digital patient records containing lab tests, radiology, medications, and supplies were lost temporarily ^[1].

Twenty-six hospitals were confirmed to be infected by the ransomware, while others avoided infection with enhanced defenses and resumed operations quickly ^{[3, 4]}. Network security teams and the Hippocrates software developers worked overnight to restore most hospital systems within five days, returning to online service by February 15 ^{[3, 4]}.

The FBI has identified healthcare as the most targeted sector of critical national infrastructure, with criminals attracted by the disruption hospitals provide to increase ransom prospects. Cybersecurity expert Alina Bîzgă said, "Hospitals provide critical services; criminals believe the greater the chaos they cause, the more likely they are to get ransom" ^[3]. Public communications urged people to seek hospital care only in emergencies, reducing the strain on disrupted facilities during recovery ^{[3, 4]}.

Romania's later digital adoption compared to other countries helped by allowing a fallback to traditional paper methods temporarily during the cyberattack ^{[3, 4]}. The 2024 attack is considered among the world’s worst healthcare cyber incidents and serves as a test case for hospital disaster planning internationally ^{[1, 2, 3, 4]}.

The ransomware gang linked to BackMyData was disrupted internationally in 2023, with four Russians arrested outside Russia, but details of ongoing investigations remain unclear as Romanian police declined to comment ^{[3, 4]}. In other countries, healthcare hacks have caused patient harm; for example, a British NHS blood testing firm hack last year resulted in a death, and US firms Change Healthcare and Ascension paid millions in ransom ^{[3, 4]}.

Hospital systems continue to digitize but must balance the risks with contingency planning. Data backlog caused by re-entering paper records into electronic systems took weeks and some data was permanently lost ^{[3, 4]}. The experience underlines the need for robust cybersecurity and fallback procedures in critical healthcare infrastructure.