The more digitised you are, the greater the risk
In February 2024, a ransomware attack encrypted the medical records of over a hundred Romanian hospitals, forcing the nation's cyber-security chief to make a stark choice: allow the infection to spread, or sever the digital lifeline of an entire healthcare system. The decision to disconnect proved both painful and effective — medical staff returned to pen and paper, patients were cared for, and the criminals received nothing. Romania's ordeal has since entered the global conversation about how civilizations protect their most vital institutions in an age when connectivity is both a gift and a wound.
- A ransomware gang exploited a single shared medical software platform to simultaneously hold over a hundred hospitals hostage, demanding €160,000 in bitcoin to restore encrypted patient records.
- The national cyber-security centre ordered a total internet blackout across all affected hospitals — a drastic, irreversible-feeling move that stopped the attack but left surgeons and nurses without access to lab results, medication histories, or patient files.
- Medical staff improvised with handwritten registers, printed lab results, and offline spreadsheets, sustaining patient care through four days of digital silence while frustrated patients directed their fear and anger at frontline workers.
- Cyber-experts worked through the night to isolate 26 actively infected hospitals, coordinate with the software maker, and begin removing the intruders — all while the government held firm against paying the ransom.
- Within a week, nearly all hospitals were back online, though weeks of manual data re-entry followed and some records were permanently lost — leaving Romania's response both celebrated and sobering as a global model for healthcare cyber-resilience.
On a Sunday morning in February 2024, staff at a children's hospital north of Bucharest noticed something wrong with their systems. By Monday, the problem had spread across Romania. More than a hundred hospitals found their medical records encrypted into gibberish — the work of a ransomware gang called BackMyData, which had slipped into Hippocrates, the shared software platform managing everything from patient admissions to pharmacy orders. The attackers were demanding €160,000 in bitcoin.
At the national cyber-security centre, Dan Cimpean faced an impossible choice. He could watch the infection spread, or he could cut the cord entirely. On Monday, 10 February, the order went out: disconnect from the internet. One hundred hospitals went dark. The decision stopped the hackers cold — but it also meant that doctors and nurses across the country suddenly had no access to records, lab results, or medication histories.
What followed was a masterclass in improvisation. Staff at hospitals across Romania switched to pen and paper, printed lab results, pulled out offline spreadsheets, and built handwritten patient registers from scratch. The work was slower and exhausting, but it held. No patients died. No serious harm was reported. Surgeon Oana Goidescu, working through the disruption at Buzău Hospital, later recalled the weight of those days — and the difficult conversations with patients who were frightened and angry, and not wrong to be.
Cyber-experts worked through the nights to map the breach, ultimately identifying 26 actively infected hospitals. The attackers had entered through RSC, the Bucharest company behind Hippocrates, and spread quietly before anyone noticed. A firm decision was made: Romania would not pay the ransom. Within five days, most hospitals were back online. Within a week, nearly all were operating close to normal — though manually re-entering four days of paper records took weeks, and some data was lost forever.
The incident has since become a reference point for disaster planners worldwide. Healthcare is now the most targeted sector of critical infrastructure, and Romania's response — the swift disconnection, the refusal to negotiate, the resilience of its medical staff — has been widely studied as a model for what to do when the worst arrives. Cimpean's reflection lingers: the more digitised a society becomes, the greater its exposure. The question is whether others will learn from Romania's experience before they face their own reckoning.
On a Sunday morning in February 2024, staff at a children's hospital north of Bucharest noticed something wrong with their computer systems. By Monday dawn, the problem had spread across Romania like a contagion. More than a hundred hospitals were discovering that their medical records had vanished into encrypted gibberish. A ransomware gang called BackMyData had slipped into the Hippocrates software system—the digital backbone that Romanian hospitals used to manage everything from patient admissions to pharmacy orders to test results—and was now demanding €160,000 in bitcoin to unlock the files.
At the national cyber-security centre in Bucharest, Dan Cimpean faced a choice with no good options. He could watch the infection spread through hospital after hospital, or he could do something radical: cut the power. The order went out on Monday, 10 February. Disconnect from the internet. All of it. One hundred hospitals went dark.
The decision was brutal and necessary. It stopped the hackers cold. But it also meant that surgeons, nurses, and doctors across Romania suddenly had no access to patient records, no email, no way to look up lab results or medication histories. The machines that had become the nervous system of modern medicine were silent. Surgeon Oana Goidescu was on shift at Buzău Hospital, 120 kilometres north-east of Bucharest, when the alert came. "An IT record is not just a list of patients," she said later. "For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone."
What happened next became a masterclass in improvisation under pressure. Medical staff across Romania switched to pen and paper. At Carol Davila Hospital in Bucharest, Vlad Paic and his colleagues asked the laboratory to print results on paper instead of sending them digitally. They pulled out Excel spreadsheets and offline tools. They created handwritten registers to track every patient who came through the door. The work was slower, messier, and exhausting—but it worked. Patients continued to receive care. No one died. No serious harm was reported.
Meanwhile, cyber-experts worked through the night to understand the scope of the breach. They found that 26 hospitals had been actively infected with the ransomware. The attackers had burrowed in through RSC, the Bucharest-based software company that made Hippocrates, and had spread quietly before anyone noticed. The national cyber response centre coordinated with the software maker to identify which systems were compromised and begin the process of removing the intruders. They also made a strategic decision: hospitals would not pay the ransom. The criminals would get nothing.
The cyber-security centre used media broadcasts to communicate with hospitals and the public, urging people to avoid hospitals unless absolutely necessary. But waiting rooms still filled up. Some patients, frustrated and frightened, directed their anger at staff who had no control over the situation. Goidescu remembered the difficult conversations. "We were asked, 'What if it were your mother?' They were right to be angry, but we tried to explain we were not at fault." Within five days, most hospitals were back online. Within a week, nearly all of them were operating close to normal. The data that had been recorded on paper during those four days had to be manually entered back into the systems—a process that took weeks. Some information was lost forever.
The attack on Romanian hospitals in February 2024 has become a test case for disaster planners around the world. Healthcare is now the most targeted sector of critical national infrastructure, according to the FBI. Hospitals are attractive targets for ransomware gangs because they handle life-and-death services; the criminals know that disruption creates pressure to pay. Yet Romania's response—the swift decision to disconnect, the improvisation of medical staff, the refusal to negotiate with extortionists—has been widely praised as a model for how to respond when the worst happens. Dan Cimpean, the cyber-chief who made the call, reflected on the vulnerability that comes with progress. "The more technology you have, the more digitised you are, the greater the risk," he said. The question now is whether other countries will learn from Romania's experience before they face their own crisis.
Citações Notáveis
An IT record is not just a list of patients. For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone.— Surgeon Oana Goidescu, Buzău Hospital
The more technology you have, the more digitised you are, the greater the risk.— Dan Cimpean, cyber-chief, Romanian national cyber-security centre
A Conversa do Hearth Outra perspectiva sobre a história
When the order came to disconnect 100 hospitals from the internet, did anyone push back? That's a massive decision.
You'd think so, but the speed of the attack left no room for debate. Once they saw the ransomware spreading through the Hippocrates system, waiting meant more hospitals getting infected. It was the only move that made sense.
But then you're asking surgeons and nurses to work without their tools. How did they actually manage patient care?
They went backward in time, essentially. Pen and paper, printed lab results, handwritten registers. It was slower, but the remarkable thing is that it worked. Some doctors said Romania's relatively recent shift to digital systems actually helped—they still remembered how to do things the old way.
No deaths, no serious harm reported. That seems almost miraculous given the scale.
It's not miraculous so much as it is a reminder that digital systems are tools, not necessities. When they're gone, you improvise. The real victory was the decision not to pay the ransom. That's what breaks the cycle.
What happens to the hackers?
Police aren't saying much. But the ransomware gang behind BackMyData had its website taken down in an international operation last year, and four Russians were arrested. Though Russia doesn't cooperate with Western law enforcement, so the investigation is complicated.
Is Romania unique, or are hospitals everywhere this vulnerable?
Everywhere. The UK's NHS had a breach that contributed to a patient's death. Change Healthcare in the US paid $22 million in ransom. Hospitals are targets because they're critical and because criminals know the pressure to restore services is immense. Romania just happened to refuse to pay.