Cyber attack hits Dutch patient records holder Chipsoft

ChipSoft, the dominant provider of healthcare software in the Netherlands, has suffered a significant cyber attack. As the primary manager of patient records for most Dutch hospitals, the breach poses a critical threat to the national medical infrastructure. The incident has already forced several institutions to disconnect their systems to prevent further damage

The company confirmed today that unauthorized actors gained access to its internal systems. The incident first came to light when Z-Cert, the digital security center for Dutch healthcare, issued an urgent notification to medical institutions across the country.

ChipSoft’s flagship product, HiX, serves as the central nervous system for patient data management in the Netherlands. The attack targeted the company’s infrastructure, leading to immediate service disruptions. While the company initially struggled to contain the breach, its primary website went offline, signaling the severity of the intrusion.

The company suffered a ransomware attack, with hackers blocking systems and demanding money to restore access. Ransomware actors frequently target the medical sector due to the high value of patient data and the urgent necessity of system availability. In this case, the breach at a central software supplier created a massive ripple effect across the entire Dutch medical landscape. The company has since initiated emergency protocols to block further access, but the initial damage to its service availability was both immediate and widespread.

Market dominance and systemic risk

ChipSoft holds a commanding position in the Dutch healthcare market. Estimates suggest that between 70% and 75% of all Dutch hospitals rely on its software for daily operations. This high level of market concentration creates a single point of failure for the nation’s medical infrastructure. When a market leader of this scale suffers a ransomware attack, the consequences extend far beyond a single corporate entity.

Following advice from Z-Cert and the National Cyber Security Centre, at least eleven hospitals proactively took their patient portals offline to mitigate risk. Institutions such as Erasmus MC, Ikazia Hospital, and Medisch Spectrum Twente were among those mentioned in early reports of the disruption. These hospitals severed VPN connections to ChipSoft’s systems to prevent the ransomware from spreading laterally into their own internal networks.

While many medical appointments and treatments continued as scheduled, the loss of portal access meant patients could not view their records or manage appointments digitally. However, when the link to the Electronic Patient Record is compromised, the hospital's digital workflow is severely hampered, forcing staff to rely on less efficient manual processes or localized backup systems.

Data integrity and regulatory obligations

A primary concern during any ransomware attack is the potential for data exfiltration. ChipSoft has acknowledged that unauthorized parties accessed its systems and stated it cannot rule out the possibility that personal data was viewed or stolen.

Under the General Data Protection Regulation, known as AVG in the Netherlands, ChipSoft acts as the data processor, while the hospitals serve as the data controllers. While some hospitals, such as Ziekenhuisgroep Twente, reported that their specific patient data remains stored locally and appears unaffected, the broader risk to the HiX software-as-a-service environment remains under investigation.

The potential theft of sensitive medical records poses a long-term threat to patient privacy and could lead to secondary extortion attempts against individuals. For now, the focus remains on determining exactly what data was accessed. The company is currently monitoring its systems for signs of data leakage while coordinating with forensic experts to map the full extent of the breach.

Technical investigation and uncertainty

The technical specifics of how the attackers breached ChipSoft’s defenses remain undisclosed. No specific ransomware group has claimed responsibility for the attack, and the exact entry point is still under investigation.

The National Cyber Security Centre and Z-Cert continue to work with ChipSoft to analyze the incident and restore services. This lack of transparency in the early stages of a breach is common, as investigators prioritize containment over public disclosure.

Restoration timelines remain uncertain, leaving hospitals on heightened vigilance. The investigation must eventually determine whether the breach resulted from a known vulnerability or a zero-day exploit to help other institutions harden their defenses.