The more technology you have, the more digitized you are, the greater the risk.
In February 2024, Romania's national cybersecurity director ordered more than 100 hospitals offline in a single decisive act, halting a ransomware assault that had crept through the country's medical software infrastructure. For four days, doctors and nurses returned to paper and memory, holding the line of patient care without the digital systems they had come to depend upon. The episode asks an old question in a new register: how much of our resilience lives in our tools, and how much remains in us when those tools are taken away.
- Hackers quietly infected 26 Romanian hospitals through a shared medical platform, encrypting critical records and demanding 160,000 euros in bitcoin before anyone fully understood the scale of the breach.
- A single command — disconnect over 100 hospitals from the internet immediately — stopped the spread cold but plunged medical staff into sudden analog darkness, erasing access to lab results, patient histories, and pharmacy systems in an instant.
- Surgeons, nurses, and administrators improvised with paper logs, printed lab results, and offline spreadsheets, drawing on institutional muscle memory from Romania's recent transition to digital systems to keep patients moving through care.
- Authorities refused to pay the ransom, used public media to manage patient flow, and worked with the software provider to restore systems from backups — with recovery speed directly tied to how recently each hospital had backed up its data.
- Within five days most hospitals were back online, no patients died, and Romania's response became an international case study — a stark contrast to US healthcare providers who faced similar attacks and chose to pay.
On the morning of February 10, 2024, Dan Cimpean of Romania's national cybersecurity centre issued an order that would reshape the country's healthcare system within hours: disconnect more than 100 hospitals from the internet, immediately. Hackers had breached a Bucharest software firm and were using it as a gateway to push ransomware called BackMyData through Hippocrates, a medical platform managing everything from patient admissions to pharmacy logistics. The first signs had appeared two days earlier at a children's hospital in Pitești — strange errors in the system — but by Monday dawn, dozens of hospitals were reporting the same silent corruption. The attackers wanted bitcoin, 160,000 euros worth.
The disconnection was brutal in its precision. No internet meant no connected devices, no digital records, no access to the infrastructure that modern hospitals had built their operations around. At Buzău Hospital, surgeon Oana Goidescu described watching everything vanish from the screen — lab tests, radiology images, medication orders — all of it gone. What followed was a masterclass in improvisation. At Carol Davila Hospital in Bucharest, staff developed offline patient registration methods, asked laboratories to print results on paper, and leaned on spreadsheets that needed no connection to function. Romania's relatively recent shift to digital systems worked in their favor: many staff still carried the muscle memory of analog work.
Cybersecurity investigators worked through the night. Their conclusion was firm: Romania would not pay the ransom. Authorities used the media to urge the public to avoid hospitals unless absolutely necessary, and instructed administrators not to contact or negotiate with the hackers. Waiting rooms filled regardless. Frightened patients, uncertain and frustrated, sometimes turned their anger on the staff working hardest to help them. Goidescu recalled the question that cut deepest: what if it were your mother?
Within five days, most hospitals were restored. The critical variable in recovery speed was simple: how recently had each hospital backed up its data. Some records entered on paper during the outage had to be manually re-entered afterward. Some data was lost permanently. But no patients died, and no serious harm was reported. Romania's decision to disconnect, refuse the ransom, and trust its people over its systems has since become a reference point for disaster planners worldwide — a road not taken by others, and the one that worked.
On the morning of February 10, 2024, Dan Cimpean sat at Romania's national cyber-security centre and made a choice that would ripple through the country's healthcare system within hours. Hackers had breached RSC, a Bucharest software firm, and were using that entry point to inject ransomware called BackMyData into hospitals across Romania. The malware was spreading through Hippocrates, a medical platform that handles everything from patient admissions to pharmacy logistics and test results. Cimpean's order was stark: disconnect more than 100 hospitals from the internet, immediately.
The decision was brutal in its simplicity. No internet meant no connected devices, no email, no web browsers. It meant that surgeons, nurses, and doctors would lose access to the digital records that had become the backbone of modern hospital operations. But it also meant stopping the hackers cold, buying time for cyber-experts to understand the scope of the breach and figure out how to eject the intruders from the system.
At Buzău Hospital, 120 kilometers northeast of Bucharest, surgeon Oana Goidescu was on shift when the alert came through. She described the moment with a kind of stunned clarity: an IT record is not just a list of patients. For each person, the system holds lab tests, radiology images, medicine orders, supply requests. All of it vanished from the screen. The first sign of trouble had actually come two days earlier, on Sunday morning, when staff at Pitești children's hospital noticed errors in the Hippocrates system. By Monday dawn, dozens of hospitals were reporting the same problem. The attackers had been quiet about their work, silently infecting machines and scrambling files into gibberish. They wanted bitcoin—160,000 euros, to be exact.
What happened next became a masterclass in improvisation under pressure. At Carol Davila Hospital in Bucharest, Vlad Paic and his colleagues developed an offline method to register every patient who came through the door. They asked the laboratory to print results on paper. They used Excel spreadsheets and other tools that didn't require an internet connection. They created workarounds that kept care moving forward even as the digital infrastructure lay dormant. Some hospitals benefited from the fact that Romania had only recently made the shift to fully digital systems—staff still remembered how to work with paper, still had the muscle memory for analog processes.
Cyber-investigators worked through the night. By the time they had their answer, 26 hospitals had been infected with BackMyData. The national cyber-security centre made another critical decision: they would not pay the ransom. Instead, they used the media to communicate with the public, urging people to avoid hospitals unless absolutely necessary. They also sent a clear message to hospital administrators: do not contact the hackers, do not negotiate. The waiting rooms filled anyway. Frustrated patients, frightened and uncertain, sometimes directed their anger at the staff who were doing everything they could with the tools they had left. Goidescu remembered the question that cut deepest: What if it were your mother?
Within five days, most hospitals were back online and operating close to normal. The cyber-experts had worked with the Hippocrates maker to identify infected systems and restore them from backups. This turned out to be one of the crucial details: hospitals that had recent copies of their data recovered faster and more completely. Some information recorded on paper during the outage had to be manually entered back into the system later. Some data was lost forever. But no patients died. No serious harm was reported.
What made this outcome possible was not luck. It was preparation, coordination, and the willingness to make a hard call quickly. Cimpean reflected on the attack afterward with a kind of grim clarity: the more technology you have, the more digitized you are, the greater the risk. The incident has become an international case study for disaster planners and hospital administrators trying to figure out how to respond when their systems go dark. Around the same time, Change Healthcare in the United States was hit by a similar attack and chose a different path—they paid 22 million dollars in ransom. Later that year, Ascension, another major US healthcare provider, suffered its own breach. The pattern was clear: hospitals are attractive targets because they handle critical services, and criminals know that disruption creates pressure to pay. Romania's choice to disconnect, to go analog, to refuse the ransom, and to focus on patient safety rather than system recovery became the road not taken by others—and the one that worked.
Notable Quotes
An IT record is not just a list of patients. For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone.— Surgeon Oana Goidescu, Buzău Hospital
Hospitals handle critical services, and the criminals think that the more disruption that can be caused, the more likely they are to get paid a ransom.— Alina Bîzgă, Bitdefender cyber-security firm
The Hearth Conversation Another angle on the story
Why disconnect 100 hospitals all at once instead of just the infected ones?
Because the hackers were still spreading through the software. If you leave some hospitals connected, the malware keeps jumping from one to another. You have to cut the whole network to stop the bleeding.
But that's a massive disruption. How do you know it won't cause deaths?
You don't, not for certain. But you know what will happen if you don't act—the infection spreads, more systems fail, and you lose control of the situation entirely. The calculation is: controlled chaos now, or uncontrolled chaos later.
The paper records—was that improvisation or did hospitals have a plan?
Mostly improvisation. Some staff remembered how to work without computers because Romania had only recently gone digital. But they had to invent the workarounds on the fly. Excel spreadsheets, printed lab results, handwritten patient registers. It worked because people understood what mattered: keeping patients safe, not protecting the system.
What about the ransom demand? That's a lot of money.
It is, but paying it doesn't guarantee anything. The hackers might not restore your data. They might come back for more. Romania decided the risk of paying was worse than the pain of recovery. They were right—they recovered without paying, and no one died.
So this becomes a template for other countries?
It does, but with a caveat. Romania had something many countries don't: recent backups. Without those, the recovery would have taken months instead of days. That's the real lesson—prepare before the attack, not during it.