Romanian Hospitals Go Back to Pen and Paper After Nationwide Cyber Attack

Tue Jun 23 2026 06:20:36 GMT+0000 (Coordinated Universal Time)

A ransomware hit on Romania's national medical software forced 100 hospitals to operate offline, sparking a rapid shift to handwritten records. The swift offline response saved lives and offered a blueprint for cyber‑resilient health care.

In February 2024, attackers infiltrated Romania’s Hippocrates medical software system, deploying the BackMyData ransomware strain that scrambled patient records across more than a hundred hospitals. With the software gone, hospital teams switched to paper and basic spreadsheets, allowing surgeons and nurses to continue treatment while IT specialists worked to isolate infected nodes. The National Cyber‑Security Centre, guided by cyber‑chief Dan Cimpean, ordered a full disconnect from the internet, preventing further damage and buying crucial minutes for recovery. Most hospitals were back online within five days without incurring fatal consequences, highlighting the importance of regular backups and robust communication strategies.

The ransomware that struck Romania’s hospitals in February 2024 began quietly, infecting the widely used Hippocrates medical software through a breached software firm in Bucharest. As the BackMyData payload scrambled patient records and demanded a €160,000 bitcoin ransom, more than 100 hospitals found the system inoperative and had no way to access electronic charts, lab results or pharmacy orders.

Faced with a national medical infrastructure coming to a halt, cyber‑chief Dan Cimpean instructed a complete internet shutdown for the affected facilities. Companies that had only recently digitised their patient data discovered the outage forced medical staff to revert to pen and paper, manual forms and even exported Excel sheets to maintain continuity of care.

Doctors in Bucharest’s Carol Davila Hospital created offline patient registration sheets, while laboratories handed out paper test results to huddle patients in waiting rooms. In the days that followed, the National Cyber‑Security Centre worked with the Hippocrates makers to isolate the infected servers and began restoring systems from recent backups – a lesson that highlighted the value of consistent data redundancy.

The attack caused no serious harm to patients; authorities confirmed zero deaths or major complications during the five‑day outage. However, the manual back‑fill meant that several pieces of data, once lost to the ransomware, were irretrievable, and the backlog of handwritten records required weeks of re‑entry into digital systems.

Flashpoint’s analysis points out that this incident has become a case study for global emergency planners. Hospitals worldwide now see that a dense web of IT dependencies creates a single point of failure; in the future, maintaining a parallel manual workflow and ensuring up‑to‑date backups could be the difference between life and death.