When a nationwide cyberattack crippled hospital IT systems across Romania, doctors and nurses faced a challenge that seemed almost unthinkable in modern healthcare. Electronic records disappeared behind encrypted screens, hospital management platforms went offline, and critical digital workflows suddenly stopped functioning. Yet rather than allowing patient care to collapse, more than 100 hospitals reverted to a method that predates computers entirely: pen and paper.
Get breaking news anytime, anywhere. Download the TOI app now!
The incident became a striking example of how resilience, preparation and human adaptability can keep essential services running when technology fails. While ransomware attacks have increasingly targeted healthcare systems worldwide, Romania's response demonstrated that continuity planning remains just as important as digital innovation. The episode also highlighted a growing reality for hospitals everywhere: cybersecurity is no longer merely an IT concern but a fundamental component of patient safety and healthcare delivery.
Romania's largest hospital cyber-attack forced over 100 healthcare facilities offline
As reported by the BBC, the crisis began in February 2024 when attackers targeted the Hipocrate Information System (HIS), a software platform widely used by Romanian hospitals to manage medical records, administrative operations and patient information. According to Romania's National Cyber Security Directorate (DNSC), ransomware encrypted files and databases stored on production servers, making them inaccessible to healthcare providers.
Initially, 21 hospitals were confirmed as affected, but the number later rose. At the same time, dozens of additional hospitals disconnected their systems from the internet as a precautionary measure to prevent the malware from spreading further. In total, more than 100 healthcare facilities experienced disruption or voluntarily took systems offline during the response effort.
Romania's Ministry of Health described the attack in a public statement:
"As a result of the attack, the system is down, and files and databases are encrypted."
Cybersecurity investigators later identified the malware as Backmydata ransomware, a variant linked to the Phobos ransomware family. Attackers reportedly demanded a ransom of 3.5 Bitcoin in exchange for restoring access to affected systems.
Why hospitals abandoned digital systems and returned to paper records
Faced with widespread system outages, hospitals activated emergency continuity procedures designed specifically for situations where digital infrastructure becomes unavailable.
Medical staff returned to handwritten patient notes, paper admission forms, printed treatment records and manual tracking systems. While significantly slower than electronic processes, these analogue methods ensured that patient care could continue while cybersecurity teams worked to contain the attack.
One of the most important defensive measures involved disconnecting hospital networks from the internet. DNSC via BBC advised healthcare providers to isolate affected systems immediately and preserve evidence for forensic investigation. The agency also strongly discouraged institutions from communicating with attackers or paying the ransom.
Both the Directorate and other cybersecurity authorities involved in the analysis of this incident recommend not contacting the attackers and not paying the demanded ransom.
The temporary return to paper records proved critical in maintaining continuity of care. Although administrative processes slowed, hospitals remained capable of admitting patients, documenting treatments and carrying out essential medical services while recovery efforts progressed.
What the Romanian ransomware attack reveals about the future of healthcare cybersecurity
The Romanian hospital incident illustrates a growing challenge facing healthcare systems worldwide. Hospitals have become attractive targets for cyber criminals because they depend heavily on uninterrupted access to patient data, diagnostic systems and operational networks.
However, the attack also revealed the value of resilience planning. According to DNSC, most affected hospitals maintained recent data backups, allowing many systems to be restored without capitulating to ransom demands. Some facilities reportedly possessed backups only a few days old, significantly reducing potential data loss.
The episode serves as a reminder that technological advancement must be matched by robust contingency planning. Digital transformation has improved efficiency across healthcare, but the Romanian experience demonstrated that hospitals must remain capable of functioning during prolonged technology failures.
As ransomware groups continue targeting critical infrastructure, healthcare providers around the world are reassessing their preparedness. The lesson from Romania is clear: cyber resilience is not measured solely by preventing attacks but by maintaining patient care when prevention fails.
