ChipSoft Ransomware Hits 70% of Dutch Hospital Systems

A ransomware attack against Dutch healthcare software vendor ChipSoft has cascaded across the Netherlands' hospital infrastructure, forcing at least 11 facilities to disconnect systems and shift to contingency operations. ChipSoft provides electronic health record systems to roughly 70% of Dutch hospitals—a concentration of critical infrastructure in a single vendor that turned a corporate breach into a national healthcare incident.

The attack began on April 7, 2026, according to Z-CERT, the national cybersecurity center for the Dutch healthcare sector. ChipSoft's public website remains offline, and the company has acknowledged "possible unauthorized access" while declining to confirm whether patient data was stolen.

What Happened?

ChipSoft disabled several platforms in response to the intrusion: Zorgportaal (the care portal), HiX Mobile, and Zorgplatform. These systems handle patient records, appointment scheduling, and clinical documentation across the majority of Dutch healthcare facilities.

The affected hospitals include:

• Sint Jans Gasthuis (Weert)
• Laurentius Hospital (Roermond)
• VieCuri Medical Center (Venlo)
• Flevo Hospital (Almere)
• Leiden University Medical Center (LUMC)

Most facilities can still access their local patient portals—the core HiX electronic health record system runs on-premises rather than in ChipSoft's cloud. But the disconnection from ChipSoft's central infrastructure has disrupted inter-hospital communication, referral workflows, and remote access capabilities.

Z-CERT confirmed that "no critical care processes have come to a standstill." Hospitals increased staffing and shifted communication to telephone systems. But the incident demonstrates how dependent modern healthcare has become on interconnected software systems.

Who's Responsible?

No ransomware group has claimed the attack. The absence of a public claim after several days is unusual—most ransomware operations announce victims quickly to pressure payment negotiations. This could indicate the attackers are still in early stages, negotiating privately, or that the attack may have been disrupted before data exfiltration completed.

The pattern differs from recent healthcare sector attacks we've covered, where groups like Interlock and Qilin have been particularly aggressive about public victim announcements. The silence makes attribution difficult and leaves affected parties uncertain about whether their data has been stolen.

The Single-Vendor Problem

ChipSoft's market dominance created this scenario. When one company supplies critical software to 70% of a nation's hospitals, a single security failure becomes a systemic risk. The Netherlands isn't unique—similar vendor concentration exists across European healthcare, and we've seen comparable situations in other sectors.

This mirrors the Smart Slider WordPress supply chain attack from earlier this week, where 900,000 sites were compromised through a single plugin vendor's infrastructure. The economics favor consolidation—fewer vendors mean lower costs and easier integration—but the security implications are severe.

Healthcare organizations generally can't diversify their EHR vendors without massive operational disruption. A hospital running ChipSoft today can't easily switch to an alternative if ChipSoft is compromised. The vendor relationship is sticky, which means vendor security becomes existential.

Patient Data Exposure Unknown

ChipSoft's statement that it "cannot rule out" patient data access is concerning but standard crisis communications language. The company hasn't confirmed what the attackers accessed, and forensic investigation typically takes weeks.

Dutch patient records contain sensitive information: medical histories, diagnoses, medications, and often national identification numbers. If exfiltrated, this data would be valuable for identity theft, insurance fraud, and targeted social engineering attacks against patients.

Z-CERT is advising affected institutions to audit their ChipSoft systems for unusual activity and report anomalies. Organizations should also prepare for potential data breach notifications if the investigation confirms unauthorized access to patient information.

Operational Impact

The real-world effects so far have been logistical rather than life-threatening:

• Delayed referrals - Hospitals unable to electronically transfer patient records
• Manual workarounds - Staff reverting to phone and fax for inter-facility communication
• Increased workload - Additional staffing required to manage paper-based processes
• Appointment disruptions - Some facilities rescheduling non-urgent procedures

Dutch healthcare authorities emphasize that emergency care remains fully functional. Hospitals have practiced contingency procedures for exactly these scenarios. But prolonged outages will strain resources and potentially delay treatment for non-critical patients.

What Organizations Should Do

Healthcare facilities worldwide should treat this incident as a warning:

1. Audit vendor dependencies - Map which critical functions rely on single vendors
2. Test offline procedures - Ensure staff can operate when primary systems fail
3. Segment vendor access - Limit what third-party software can reach within your network
4. Monitor for indicators - ChipSoft hasn't published IOCs, but watch for unusual outbound connections

The broader lesson: critical infrastructure requires redundancy, even when that redundancy is expensive and operationally complex. ChipSoft's dominance in Dutch healthcare wasn't a secret—but the risk it created apparently wasn't mitigated until the threat materialized.

We'll update this story as the investigation reveals more about the attack's scope and the responsible parties.